aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorArjan van de Ven <arjan@linux.intel.com>2009-09-26 14:51:14 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-09-28 16:55:06 -0400
commit8503bd8c7dc6f82ec2de9d05e0a476e6ca5adc8b (patch)
tree42da5de2f0ee624e675d7b27f7e8c05301de0d2d /net
parent0ff716136ab73d2fc1edc0664e38169e7a76bb9a (diff)
wext: Add bound checks for copy_from_user
The wireless extensions have a copy_from_user to a local stack array "essid", but both me and gcc have failed to find where the bounds for this copy are located in the code. This patch adds some basic sanity checks for the copy length to make sure that we don't overflow the stack buffer. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Cc: linux-wireless@vger.kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/wext.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/net/wireless/wext.c b/net/wireless/wext.c
index 5b4a0cee4418..ac4ac26b53ce 100644
--- a/net/wireless/wext.c
+++ b/net/wireless/wext.c
@@ -773,10 +773,13 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
773 essid_compat = 1; 773 essid_compat = 1;
774 else if (IW_IS_SET(cmd) && (iwp->length != 0)) { 774 else if (IW_IS_SET(cmd) && (iwp->length != 0)) {
775 char essid[IW_ESSID_MAX_SIZE + 1]; 775 char essid[IW_ESSID_MAX_SIZE + 1];
776 unsigned int len;
777 len = iwp->length * descr->token_size;
776 778
777 err = copy_from_user(essid, iwp->pointer, 779 if (len > IW_ESSID_MAX_SIZE)
778 iwp->length * 780 return -EFAULT;
779 descr->token_size); 781
782 err = copy_from_user(essid, iwp->pointer, len);
780 if (err) 783 if (err)
781 return -EFAULT; 784 return -EFAULT;
782 785