aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorJohn W. Linville <linville@tuxdriver.com>2009-05-20 10:51:41 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-05-20 14:29:54 -0400
commit267d493b322b05984048aef8ea9b5b213490bbe0 (patch)
tree167d6c2615990375e5a3af682f7bc3431f5851b5 /drivers
parent875690c378d64d9ee2de15cad8206d3f11ae5096 (diff)
airo: fix airo_get_encode{,ext} buffer overflow like I mean it...
"airo: airo_get_encode{,ext} potential buffer overflow" was actually a no-op, due to an unrecognized type overflow in an assignment. Oddly, gcc only seems to tell me about it when using -Wextra...grrr... Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/airo.c23
1 files changed, 14 insertions, 9 deletions
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
index d73475739127..9eabf4d1f2e7 100644
--- a/drivers/net/wireless/airo.c
+++ b/drivers/net/wireless/airo.c
@@ -6467,6 +6467,7 @@ static int airo_get_encode(struct net_device *dev,
6467{ 6467{
6468 struct airo_info *local = dev->ml_priv; 6468 struct airo_info *local = dev->ml_priv;
6469 int index = (dwrq->flags & IW_ENCODE_INDEX) - 1; 6469 int index = (dwrq->flags & IW_ENCODE_INDEX) - 1;
6470 int wep_key_len;
6470 u8 buf[16]; 6471 u8 buf[16];
6471 6472
6472 if (!local->wep_capable) 6473 if (!local->wep_capable)
@@ -6500,11 +6501,13 @@ static int airo_get_encode(struct net_device *dev,
6500 dwrq->flags |= index + 1; 6501 dwrq->flags |= index + 1;
6501 6502
6502 /* Copy the key to the user buffer */ 6503 /* Copy the key to the user buffer */
6503 dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf)); 6504 wep_key_len = get_wep_key(local, index, &buf[0], sizeof(buf));
6504 if (dwrq->length != -1) 6505 if (wep_key_len < 0) {
6505 memcpy(extra, buf, dwrq->length);
6506 else
6507 dwrq->length = 0; 6506 dwrq->length = 0;
6507 } else {
6508 dwrq->length = wep_key_len;
6509 memcpy(extra, buf, dwrq->length);
6510 }
6508 6511
6509 return 0; 6512 return 0;
6510} 6513}
@@ -6617,7 +6620,7 @@ static int airo_get_encodeext(struct net_device *dev,
6617 struct airo_info *local = dev->ml_priv; 6620 struct airo_info *local = dev->ml_priv;
6618 struct iw_point *encoding = &wrqu->encoding; 6621 struct iw_point *encoding = &wrqu->encoding;
6619 struct iw_encode_ext *ext = (struct iw_encode_ext *)extra; 6622 struct iw_encode_ext *ext = (struct iw_encode_ext *)extra;
6620 int idx, max_key_len; 6623 int idx, max_key_len, wep_key_len;
6621 u8 buf[16]; 6624 u8 buf[16];
6622 6625
6623 if (!local->wep_capable) 6626 if (!local->wep_capable)
@@ -6661,11 +6664,13 @@ static int airo_get_encodeext(struct net_device *dev,
6661 memset(extra, 0, 16); 6664 memset(extra, 0, 16);
6662 6665
6663 /* Copy the key to the user buffer */ 6666 /* Copy the key to the user buffer */
6664 ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf)); 6667 wep_key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
6665 if (ext->key_len != -1) 6668 if (wep_key_len < 0) {
6666 memcpy(extra, buf, ext->key_len);
6667 else
6668 ext->key_len = 0; 6669 ext->key_len = 0;
6670 } else {
6671 ext->key_len = wep_key_len;
6672 memcpy(extra, buf, ext->key_len);
6673 }
6669 6674
6670 return 0; 6675 return 0;
6671} 6676}