aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <error27@gmail.com>2010-09-06 08:32:30 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2010-09-20 19:31:54 -0400
commitdd173abfead903c7df54e977535973f3312cd307 (patch)
tree905398a016da8e714894786c24684fa532cace12
parent350aede603f7db7a9b4c1a340fbe89ccae6523a2 (diff)
Staging: vt6655: fix buffer overflow
"param->u.wpa_associate.wpa_ie_len" comes from the user. We should check it so that the copy_from_user() doesn't overflow the buffer. Also further down in the function, we assume that if "param->u.wpa_associate.wpa_ie_len" is set then "abyWPAIE[0]" is initialized. To make that work, I changed the test here to say that if "wpa_ie_len" is set then "wpa_ie" has to be a valid pointer or we return -EINVAL. Oddly, we only use the first element of the abyWPAIE[] array. So I suspect there may be some other issues in this function. Signed-off-by: Dan Carpenter <error27@gmail.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/staging/vt6655/wpactl.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/drivers/staging/vt6655/wpactl.c b/drivers/staging/vt6655/wpactl.c
index 0142338bcafe..4bdb8362de82 100644
--- a/drivers/staging/vt6655/wpactl.c
+++ b/drivers/staging/vt6655/wpactl.c
@@ -766,9 +766,14 @@ static int wpa_set_associate(PSDevice pDevice,
766 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "wpa_ie_len = %d\n", param->u.wpa_associate.wpa_ie_len); 766 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "wpa_ie_len = %d\n", param->u.wpa_associate.wpa_ie_len);
767 767
768 768
769 if (param->u.wpa_associate.wpa_ie && 769 if (param->u.wpa_associate.wpa_ie_len) {
770 copy_from_user(&abyWPAIE[0], param->u.wpa_associate.wpa_ie, param->u.wpa_associate.wpa_ie_len)) 770 if (!param->u.wpa_associate.wpa_ie)
771 return -EINVAL; 771 return -EINVAL;
772 if (param->u.wpa_associate.wpa_ie_len > sizeof(abyWPAIE))
773 return -EINVAL;
774 if (copy_from_user(&abyWPAIE[0], param->u.wpa_associate.wpa_ie, param->u.wpa_associate.wpa_ie_len))
775 return -EFAULT;
776 }
772 777
773 if (param->u.wpa_associate.mode == 1) 778 if (param->u.wpa_associate.mode == 1)
774 pMgmt->eConfigMode = WMAC_CONFIG_IBSS_STA; 779 pMgmt->eConfigMode = WMAC_CONFIG_IBSS_STA;