aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/hostap
diff options
context:
space:
mode:
authorPavel Roskin <proski@gnu.org>2006-10-24 22:41:27 -0400
committerJohn W. Linville <linville@laptop.(none)>2006-10-31 22:15:39 -0500
commit115e222d538e7838bffa0f76409acd9816a0ef32 (patch)
tree8781a87c864aa2fc5206469f444f0e0710bd2a45 /drivers/net/wireless/hostap
parentaec41a0d02342fc9e3b6bb278eae50fa29f04d1f (diff)
[PATCH] hostap_plx: fix CIS verification
The length of the manfid CIS should be at least 4, and it's normally 4. It's incorrect to require it to be at least 5. This breaks support for most (if not all) cards. The right place to ensure that we don't access beyond the CIS buffer is to strengthen another check. Make sure that the next tuple begins at least at the CIS buffer end (in which case we stop processing) or before that. Reported by ph35sm@free.fr Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/hostap')
-rw-r--r--drivers/net/wireless/hostap/hostap_plx.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/wireless/hostap/hostap_plx.c b/drivers/net/wireless/hostap/hostap_plx.c
index 6dfa041be66d..bc81b13a5a2a 100644
--- a/drivers/net/wireless/hostap/hostap_plx.c
+++ b/drivers/net/wireless/hostap/hostap_plx.c
@@ -364,7 +364,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
364 364
365 pos = 0; 365 pos = 0;
366 while (pos < CIS_MAX_LEN - 1 && cis[pos] != CISTPL_END) { 366 while (pos < CIS_MAX_LEN - 1 && cis[pos] != CISTPL_END) {
367 if (pos + cis[pos + 1] >= CIS_MAX_LEN) 367 if (pos + 2 + cis[pos + 1] > CIS_MAX_LEN)
368 goto cis_error; 368 goto cis_error;
369 369
370 switch (cis[pos]) { 370 switch (cis[pos]) {
@@ -391,7 +391,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
391 break; 391 break;
392 392
393 case CISTPL_MANFID: 393 case CISTPL_MANFID:
394 if (cis[pos + 1] < 5) 394 if (cis[pos + 1] < 4)
395 goto cis_error; 395 goto cis_error;
396 manfid1 = cis[pos + 2] + (cis[pos + 3] << 8); 396 manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);
397 manfid2 = cis[pos + 4] + (cis[pos + 5] << 8); 397 manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);