summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn W. Linville <linville@tuxdriver.com>2009-05-04 17:18:57 +0200
committerJohn W. Linville <linville@tuxdriver.com>2009-05-11 21:07:01 +0200
commitaedec9226809ae9d1972f8f8079fc70206ee7a88 (patch)
tree21e003e44b23d5b780e3da8431098e955851948a
parentMerge branch 'net-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/chr... (diff)
downloadlinux-aedec9226809ae9d1972f8f8079fc70206ee7a88.tar.xz
linux-aedec9226809ae9d1972f8f8079fc70206ee7a88.zip
airo: airo_get_encode{,ext} potential buffer overflow
Feeding the return code of get_wep_key directly to the length parameter of memcpy is a bad idea since it could be -1... Reported-by: Eugene Teo <eugeneteo@kernel.sg> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/airo.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
index c36d3a3d655f..d73475739127 100644
--- a/drivers/net/wireless/airo.c
+++ b/drivers/net/wireless/airo.c
@@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,
/* Copy the key to the user buffer */
dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
- memcpy(extra, buf, dwrq->length);
+ if (dwrq->length != -1)
+ memcpy(extra, buf, dwrq->length);
+ else
+ dwrq->length = 0;
return 0;
}
@@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
/* Copy the key to the user buffer */
ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
- memcpy(extra, buf, ext->key_len);
+ if (ext->key_len != -1)
+ memcpy(extra, buf, ext->key_len);
+ else
+ ext->key_len = 0;
return 0;
}