From 87bf24f3d2e076468deaa5181d44184887072904 Mon Sep 17 00:00:00 2001 From: Holger Schurig Date: Wed, 29 Oct 2008 10:35:02 +0100 Subject: libertas: remove two libertas sparse warning Johannes Berg detected this two sparse warnings: drivers/net/wireless/libertas/cmd.c:609:16: warning: cast to restricted __le16 drivers/net/wireless/libertas/cmd.c:611:16: warning: cast to restricted __le16 ... but cmd.minlevel is "s8", so we can access it directly and hope for the sign-extension-code in the compiler to convert that to the "s16" type. Signed-off-by: Holger Schurig Acked-by: Dan Williams Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/cmd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/net/wireless/libertas') diff --git a/drivers/net/wireless/libertas/cmd.c b/drivers/net/wireless/libertas/cmd.c index 297696de2da0..8265c7d25edc 100644 --- a/drivers/net/wireless/libertas/cmd.c +++ b/drivers/net/wireless/libertas/cmd.c @@ -605,9 +605,9 @@ int lbs_get_tx_power(struct lbs_private *priv, s16 *curlevel, s16 *minlevel, if (ret == 0) { *curlevel = le16_to_cpu(cmd.curlevel); if (minlevel) - *minlevel = le16_to_cpu(cmd.minlevel); + *minlevel = cmd.minlevel; if (maxlevel) - *maxlevel = le16_to_cpu(cmd.maxlevel); + *maxlevel = cmd.maxlevel; } lbs_deb_leave(LBS_DEB_CMD); -- cgit v1.2.2 From 48735d8d8bd701b1e0cd3d49c21e5e385ddcb077 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 29 Oct 2008 11:43:32 +0100 Subject: libertas: fix buffer overrun If somebody sends an invalid beacon/probe response, that can trash the whole BSS descriptor. The descriptor is, luckily, large enough so that it cannot scribble past the end of it; it's well above 400 bytes long. Signed-off-by: Johannes Berg Cc: stable@kernel.org [2.6.24-2.6.27, bug present in some form since driver was added (2.6.22)] Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/scan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/net/wireless/libertas') diff --git a/drivers/net/wireless/libertas/scan.c b/drivers/net/wireless/libertas/scan.c index 8f66903641b9..22c4c6110521 100644 --- a/drivers/net/wireless/libertas/scan.c +++ b/drivers/net/wireless/libertas/scan.c @@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_descriptor *bss, switch (elem->id) { case MFIE_TYPE_SSID: - bss->ssid_len = elem->len; - memcpy(bss->ssid, elem->data, elem->len); + bss->ssid_len = min_t(int, 32, elem->len); + memcpy(bss->ssid, elem->data, bss->ssid_len); lbs_deb_scan("got SSID IE: '%s', len %u\n", escape_essid(bss->ssid, bss->ssid_len), bss->ssid_len); -- cgit v1.2.2