diff options
| author | Jean Tourrilhes <jt@hpl.hp.com> | 2006-10-10 17:45:44 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2006-10-16 20:09:48 -0400 |
| commit | 7e4e8d99c2288a490a0806b9cb40016913312cfe (patch) | |
| tree | f30aadcd9c28d46cbd098286e6d2efe546dfcf6e | |
| parent | 431aca5a18f15f61cc51c466073928c4f9565fe4 (diff) | |
[PATCH] orinoco: fix WE-21 buffer overflow
This patch fixes the Orinoco driver overflow issue with
WE-21.
Cc: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Cc: Pavel Roskin <proski@gnu.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
| -rw-r--r-- | drivers/net/wireless/orinoco.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c index b779c7dcc1a8..336cabac13b3 100644 --- a/drivers/net/wireless/orinoco.c +++ b/drivers/net/wireless/orinoco.c | |||
| @@ -2457,6 +2457,7 @@ void free_orinocodev(struct net_device *dev) | |||
| 2457 | /* Wireless extensions */ | 2457 | /* Wireless extensions */ |
| 2458 | /********************************************************************/ | 2458 | /********************************************************************/ |
| 2459 | 2459 | ||
| 2460 | /* Return : < 0 -> error code ; >= 0 -> length */ | ||
| 2460 | static int orinoco_hw_get_essid(struct orinoco_private *priv, int *active, | 2461 | static int orinoco_hw_get_essid(struct orinoco_private *priv, int *active, |
| 2461 | char buf[IW_ESSID_MAX_SIZE+1]) | 2462 | char buf[IW_ESSID_MAX_SIZE+1]) |
| 2462 | { | 2463 | { |
| @@ -2501,9 +2502,9 @@ static int orinoco_hw_get_essid(struct orinoco_private *priv, int *active, | |||
| 2501 | len = le16_to_cpu(essidbuf.len); | 2502 | len = le16_to_cpu(essidbuf.len); |
| 2502 | BUG_ON(len > IW_ESSID_MAX_SIZE); | 2503 | BUG_ON(len > IW_ESSID_MAX_SIZE); |
| 2503 | 2504 | ||
| 2504 | memset(buf, 0, IW_ESSID_MAX_SIZE+1); | 2505 | memset(buf, 0, IW_ESSID_MAX_SIZE); |
| 2505 | memcpy(buf, p, len); | 2506 | memcpy(buf, p, len); |
| 2506 | buf[len] = '\0'; | 2507 | err = len; |
| 2507 | 2508 | ||
| 2508 | fail_unlock: | 2509 | fail_unlock: |
| 2509 | orinoco_unlock(priv, &flags); | 2510 | orinoco_unlock(priv, &flags); |
| @@ -3027,17 +3028,18 @@ static int orinoco_ioctl_getessid(struct net_device *dev, | |||
| 3027 | 3028 | ||
| 3028 | if (netif_running(dev)) { | 3029 | if (netif_running(dev)) { |
| 3029 | err = orinoco_hw_get_essid(priv, &active, essidbuf); | 3030 | err = orinoco_hw_get_essid(priv, &active, essidbuf); |
| 3030 | if (err) | 3031 | if (err < 0) |
| 3031 | return err; | 3032 | return err; |
| 3033 | erq->length = err; | ||
| 3032 | } else { | 3034 | } else { |
| 3033 | if (orinoco_lock(priv, &flags) != 0) | 3035 | if (orinoco_lock(priv, &flags) != 0) |
| 3034 | return -EBUSY; | 3036 | return -EBUSY; |
| 3035 | memcpy(essidbuf, priv->desired_essid, IW_ESSID_MAX_SIZE + 1); | 3037 | memcpy(essidbuf, priv->desired_essid, IW_ESSID_MAX_SIZE); |
| 3038 | erq->length = strlen(priv->desired_essid); | ||
| 3036 | orinoco_unlock(priv, &flags); | 3039 | orinoco_unlock(priv, &flags); |
| 3037 | } | 3040 | } |
| 3038 | 3041 | ||
| 3039 | erq->flags = 1; | 3042 | erq->flags = 1; |
| 3040 | erq->length = strlen(essidbuf); | ||
| 3041 | 3043 | ||
| 3042 | return 0; | 3044 | return 0; |
| 3043 | } | 3045 | } |
| @@ -3075,10 +3077,10 @@ static int orinoco_ioctl_getnick(struct net_device *dev, | |||
| 3075 | if (orinoco_lock(priv, &flags) != 0) | 3077 | if (orinoco_lock(priv, &flags) != 0) |
| 3076 | return -EBUSY; | 3078 | return -EBUSY; |
| 3077 | 3079 | ||
| 3078 | memcpy(nickbuf, priv->nick, IW_ESSID_MAX_SIZE+1); | 3080 | memcpy(nickbuf, priv->nick, IW_ESSID_MAX_SIZE); |
| 3079 | orinoco_unlock(priv, &flags); | 3081 | orinoco_unlock(priv, &flags); |
| 3080 | 3082 | ||
| 3081 | nrq->length = strlen(nickbuf); | 3083 | nrq->length = strlen(priv->nick); |
| 3082 | 3084 | ||
| 3083 | return 0; | 3085 | return 0; |
| 3084 | } | 3086 | } |