Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6

* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: (22 commits) [PATCH] ibmveth: Fix index increment calculation [PATCH] Fix timer race [PATCH] Remove useless comment from sb1250 [PATCH] ucc_geth: changes to ucc_geth driver as a result of qe_lib changes and bugfixes [PATCH] sky2: 88E803X transmit lockup [PATCH] e1000: Reset all functions after a PCI error [PATCH] WAN/pc300: handle, propagate minor errors [PATCH] Update smc91x driver with ARM Versatile board info [PATCH] wireless: WE-20 compatibility for ESSID and NICKN ioctls [PATCH] zd1211rw: fix build-break caused by association race fix [PATCH] sotftmac: fix a slab corruption in WEP restricted key association [PATCH] airo: check if need to freeze [PATCH] wireless: More WE-21 potential overflows... [PATCH] zd1201: Possible NULL dereference [PATCH] orinoco: fix WE-21 buffer overflow [PATCH] airo.c: check returned values [PATCH] bcm43xx-softmac: Fix system hang for x86-64 with >1GB RAM [PATCH] bcm43xx-softmac: check returned value from pci_enable_device [PATCH] softmac: Fix WX and association related races [PATCH] bcm43xx: fix race condition in periodic work handler ...
author: Linus Torvalds <torvalds@g5.osdl.org> 2006-10-21 16:40:29 -0400
committer: Linus Torvalds <torvalds@g5.osdl.org> 2006-10-21 16:40:29 -0400
commit: dcf234f3b0cbc4d2b73f5ee02405b117c5d77fbd (patch)
tree: 1c2c3e2dbfcc709d6b5187ec311706aab76025c3 /net/core
parent: 946b92437e550d6ed80213bf54a1f383e141aede (diff)
parent: 5826cade4341a6298eb10d476dccc5f403ca7ad8 (diff)
1 files changed, 32 insertions, 1 deletions
diff --git a/net/core/wireless.c b/net/core/wireless.c
index ffff0da46c6e..cb1b8728d7ee 100644
--- a/net/core/wireless.c
+++ b/net/core/wireless.c
@@ -748,11 +748,39 @@ static int ioctl_standard_call(struct net_device *	dev,
                int     extra_size;
                int     user_length = 0;
                int     err;
+                int     essid_compat = 0;
                /* Calculate space needed by arguments. Always allocate
                 * for max space. Easier, and won't last long... */
                extra_size = descr->max_tokens * descr->token_size;
+                /* Check need for ESSID compatibility for WE < 21 */
+                switch (cmd) {
+                case SIOCSIWESSID:
+                case SIOCGIWESSID:
+                case SIOCSIWNICKN:
+                case SIOCGIWNICKN:
+                        if (iwr->u.data.length == descr->max_tokens + 1)
+                                essid_compat = 1;
+                        else if (IW_IS_SET(cmd) && (iwr->u.data.length != 0)) {
+                                char essid[IW_ESSID_MAX_SIZE + 1];
+                                err = copy_from_user(essid, iwr->u.data.pointer,
+                                                     iwr->u.data.length *
+                                                     descr->token_size);
+                                if (err)
+                                        return -EFAULT;
+                                if (essid[iwr->u.data.length - 1] == '\0')
+                                        essid_compat = 1;
+                        }
+                        break;
+                default:
+                        break;
+                }
+                iwr->u.data.length -= essid_compat;
                /* Check what user space is giving us */
                if(IW_IS_SET(cmd)) {
                        /* Check NULL pointer */
@@ -795,7 +823,8 @@ static int ioctl_standard_call(struct net_device *	dev,
 #endif  /* WE_IOCTL_DEBUG */
                /* Create the kernel buffer */
-                extra = kmalloc(extra_size, GFP_KERNEL);
+                /*    kzalloc ensures NULL-termination for essid_compat */
+                extra = kzalloc(extra_size, GFP_KERNEL);
                if (extra == NULL) {
                        return -ENOMEM;
                }
@@ -819,6 +848,8 @@ static int ioctl_standard_call(struct net_device *	dev,
                /* Call the handler */
                ret = handler(dev, &info, &(iwr->u), extra);
+                iwr->u.data.length += essid_compat;
                /* If we have something to return to the user */
                if (!ret && IW_IS_GET(cmd)) {
                        /* Check if there is enough buffer up there */
author	Linus Torvalds <torvalds@g5.osdl.org>	2006-10-21 16:40:29 -0400
committer	Linus Torvalds <torvalds@g5.osdl.org>	2006-10-21 16:40:29 -0400
commit	dcf234f3b0cbc4d2b73f5ee02405b117c5d77fbd (patch)
tree	1c2c3e2dbfcc709d6b5187ec311706aab76025c3 /net/core
parent	946b92437e550d6ed80213bf54a1f383e141aede (diff)
parent	5826cade4341a6298eb10d476dccc5f403ca7ad8 (diff)

diff --git a/net/core/wireless.c b/net/core/wireless.c index ffff0da46c6e..cb1b8728d7ee 100644 --- a/net/core/wireless.c +++ b/net/core/wireless.c
@@ -748,11 +748,39 @@ static int ioctl_standard_call(struct net_device * dev,
748	int extra_size;	748	int extra_size;
749	int user_length = 0;	749	int user_length = 0;
750	int err;	750	int err;
		751	int essid_compat = 0;
751		752
752	/* Calculate space needed by arguments. Always allocate	753	/* Calculate space needed by arguments. Always allocate
753	* for max space. Easier, and won't last long... */	754	* for max space. Easier, and won't last long... */
754	extra_size = descr->max_tokens * descr->token_size;	755	extra_size = descr->max_tokens * descr->token_size;
755		756
		757	/* Check need for ESSID compatibility for WE < 21 */
		758	switch (cmd) {
		759	case SIOCSIWESSID:
		760	case SIOCGIWESSID:
		761	case SIOCSIWNICKN:
		762	case SIOCGIWNICKN:
		763	if (iwr->u.data.length == descr->max_tokens + 1)
		764	essid_compat = 1;
		765	else if (IW_IS_SET(cmd) && (iwr->u.data.length != 0)) {
		766	char essid[IW_ESSID_MAX_SIZE + 1];
		767
		768	err = copy_from_user(essid, iwr->u.data.pointer,
		769	iwr->u.data.length *
		770	descr->token_size);
		771	if (err)
		772	return -EFAULT;
		773
		774	if (essid[iwr->u.data.length - 1] == '\0')
		775	essid_compat = 1;
		776	}
		777	break;
		778	default:
		779	break;
		780	}
		781
		782	iwr->u.data.length -= essid_compat;
		783
756	/* Check what user space is giving us */	784	/* Check what user space is giving us */
757	if(IW_IS_SET(cmd)) {	785	if(IW_IS_SET(cmd)) {
758	/* Check NULL pointer */	786	/* Check NULL pointer */
@@ -795,7 +823,8 @@ static int ioctl_standard_call(struct net_device * dev,
795	#endif /* WE_IOCTL_DEBUG */	823	#endif /* WE_IOCTL_DEBUG */
796		824
797	/* Create the kernel buffer */	825	/* Create the kernel buffer */
798	extra = kmalloc(extra_size, GFP_KERNEL);	826	/* kzalloc ensures NULL-termination for essid_compat */
		827	extra = kzalloc(extra_size, GFP_KERNEL);
799	if (extra == NULL) {	828	if (extra == NULL) {
800	return -ENOMEM;	829	return -ENOMEM;
801	}	830	}
@@ -819,6 +848,8 @@ static int ioctl_standard_call(struct net_device * dev,
819	/* Call the handler */	848	/* Call the handler */
820	ret = handler(dev, &info, &(iwr->u), extra);	849	ret = handler(dev, &info, &(iwr->u), extra);
821		850
		851	iwr->u.data.length += essid_compat;
		852
822	/* If we have something to return to the user */	853	/* If we have something to return to the user */
823	if (!ret && IW_IS_GET(cmd)) {	854	if (!ret && IW_IS_GET(cmd)) {
824	/* Check if there is enough buffer up there */	855	/* Check if there is enough buffer up there */