diff options
author | John W. Linville <linville@tuxdriver.com> | 2009-05-04 19:18:57 +0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-05-11 23:07:01 +0400 |
commit | aedec9226809ae9d1972f8f8079fc70206ee7a88 (patch) | |
tree | 21e003e44b23d5b780e3da8431098e955851948a /drivers/net/wireless/airo.c | |
parent | e1cc1c578055d20d36e084e324001fb5e0355a71 (diff) | |
download | linux-aedec9226809ae9d1972f8f8079fc70206ee7a88.tar.xz |
airo: airo_get_encode{,ext} potential buffer overflow
Feeding the return code of get_wep_key directly to the length parameter
of memcpy is a bad idea since it could be -1...
Reported-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/airo.c')
-rw-r--r-- | drivers/net/wireless/airo.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c index c36d3a3d655f..d73475739127 100644 --- a/drivers/net/wireless/airo.c +++ b/drivers/net/wireless/airo.c @@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev, /* Copy the key to the user buffer */ dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf)); - memcpy(extra, buf, dwrq->length); + if (dwrq->length != -1) + memcpy(extra, buf, dwrq->length); + else + dwrq->length = 0; return 0; } @@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev, /* Copy the key to the user buffer */ ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf)); - memcpy(extra, buf, ext->key_len); + if (ext->key_len != -1) + memcpy(extra, buf, ext->key_len); + else + ext->key_len = 0; return 0; } |