aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/ieee80211/ieee80211_wx.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/net/ieee80211/ieee80211_wx.c b/net/ieee80211/ieee80211_wx.c
index 23e1630f50b7..f87c6b89f845 100644
--- a/net/ieee80211/ieee80211_wx.c
+++ b/net/ieee80211/ieee80211_wx.c
@@ -232,15 +232,18 @@ static char *ipw2100_translate_scan(struct ieee80211_device *ieee,
232 return start; 232 return start;
233} 233}
234 234
235#define SCAN_ITEM_SIZE 128
236
235int ieee80211_wx_get_scan(struct ieee80211_device *ieee, 237int ieee80211_wx_get_scan(struct ieee80211_device *ieee,
236 struct iw_request_info *info, 238 struct iw_request_info *info,
237 union iwreq_data *wrqu, char *extra) 239 union iwreq_data *wrqu, char *extra)
238{ 240{
239 struct ieee80211_network *network; 241 struct ieee80211_network *network;
240 unsigned long flags; 242 unsigned long flags;
243 int err = 0;
241 244
242 char *ev = extra; 245 char *ev = extra;
243 char *stop = ev + IW_SCAN_MAX_DATA; 246 char *stop = ev + wrqu->data.length;
244 int i = 0; 247 int i = 0;
245 248
246 IEEE80211_DEBUG_WX("Getting scan\n"); 249 IEEE80211_DEBUG_WX("Getting scan\n");
@@ -249,6 +252,11 @@ int ieee80211_wx_get_scan(struct ieee80211_device *ieee,
249 252
250 list_for_each_entry(network, &ieee->network_list, list) { 253 list_for_each_entry(network, &ieee->network_list, list) {
251 i++; 254 i++;
255 if (stop - ev < SCAN_ITEM_SIZE) {
256 err = -E2BIG;
257 break;
258 }
259
252 if (ieee->scan_age == 0 || 260 if (ieee->scan_age == 0 ||
253 time_after(network->last_scanned + ieee->scan_age, jiffies)) 261 time_after(network->last_scanned + ieee->scan_age, jiffies))
254 ev = ipw2100_translate_scan(ieee, ev, stop, network); 262 ev = ipw2100_translate_scan(ieee, ev, stop, network);
@@ -270,7 +278,7 @@ int ieee80211_wx_get_scan(struct ieee80211_device *ieee,
270 278
271 IEEE80211_DEBUG_WX("exit: %d networks returned.\n", i); 279 IEEE80211_DEBUG_WX("exit: %d networks returned.\n", i);
272 280
273 return 0; 281 return err;
274} 282}
275 283
276int ieee80211_wx_set_encode(struct ieee80211_device *ieee, 284int ieee80211_wx_set_encode(struct ieee80211_device *ieee,