aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--drivers/net/ps3_gelic_wireless.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/drivers/net/ps3_gelic_wireless.c b/drivers/net/ps3_gelic_wireless.c
index ddbc6e475e28..c16de5129a71 100644
--- a/drivers/net/ps3_gelic_wireless.c
+++ b/drivers/net/ps3_gelic_wireless.c
@@ -512,13 +512,18 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
512 data, len); 512 data, len);
513 memset(ie_info, 0, sizeof(struct ie_info)); 513 memset(ie_info, 0, sizeof(struct ie_info));
514 514
515 while (0 < data_left) { 515 while (2 <= data_left) {
516 item_id = *pos++; 516 item_id = *pos++;
517 item_len = *pos++; 517 item_len = *pos++;
518 data_left -= 2;
519
520 if (data_left < item_len)
521 break;
518 522
519 switch (item_id) { 523 switch (item_id) {
520 case MFIE_TYPE_GENERIC: 524 case MFIE_TYPE_GENERIC:
521 if (!memcmp(pos, wpa_oui, OUI_LEN) && 525 if ((OUI_LEN + 1 <= item_len) &&
526 !memcmp(pos, wpa_oui, OUI_LEN) &&
522 pos[OUI_LEN] == 0x01) { 527 pos[OUI_LEN] == 0x01) {
523 ie_info->wpa.data = pos - 2; 528 ie_info->wpa.data = pos - 2;
524 ie_info->wpa.len = item_len + 2; 529 ie_info->wpa.len = item_len + 2;
@@ -535,7 +540,7 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
535 break; 540 break;
536 } 541 }
537 pos += item_len; 542 pos += item_len;
538 data_left -= item_len + 2; 543 data_left -= item_len;
539 } 544 }
540 pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__, 545 pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__,
541 ie_info->wpa.data, ie_info->wpa.len, 546 ie_info->wpa.data, ie_info->wpa.len,