summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMasakazu Mokuno <mokuno@sm.sony.co.jp>2008-04-14 13:07:21 +0400
committerJohn W. Linville <linville@tuxdriver.com>2008-04-15 23:04:36 +0400
commitb358492cd2a9c67bff352c5a60d86e7fc9627477 (patch)
tree680040ef48b8d7d4f07d7b07e2ac205fa6170144
parentdc4ae1f46dbbcd08b3b5e23ad5ef87bf4bb41adf (diff)
downloadlinux-b358492cd2a9c67bff352c5a60d86e7fc9627477.tar.xz
PS3: gelic: fix the oops on the broken IE returned from the hypervisor
This fixes the bug that the driver would try to over-scan the memory if the sum of the length field of every IEs does not match the length returned from the hypervisor. Signed-off-by: Masakazu Mokuno <mokuno@sm.sony.co.jp> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/ps3_gelic_wireless.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/drivers/net/ps3_gelic_wireless.c b/drivers/net/ps3_gelic_wireless.c
index ddbc6e475e28..c16de5129a71 100644
--- a/drivers/net/ps3_gelic_wireless.c
+++ b/drivers/net/ps3_gelic_wireless.c
@@ -512,13 +512,18 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
data, len);
memset(ie_info, 0, sizeof(struct ie_info));
- while (0 < data_left) {
+ while (2 <= data_left) {
item_id = *pos++;
item_len = *pos++;
+ data_left -= 2;
+
+ if (data_left < item_len)
+ break;
switch (item_id) {
case MFIE_TYPE_GENERIC:
- if (!memcmp(pos, wpa_oui, OUI_LEN) &&
+ if ((OUI_LEN + 1 <= item_len) &&
+ !memcmp(pos, wpa_oui, OUI_LEN) &&
pos[OUI_LEN] == 0x01) {
ie_info->wpa.data = pos - 2;
ie_info->wpa.len = item_len + 2;
@@ -535,7 +540,7 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
break;
}
pos += item_len;
- data_left -= item_len + 2;
+ data_left -= item_len;
}
pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__,
ie_info->wpa.data, ie_info->wpa.len,