Staging: vt6655: fix buffer overflow
"param->u.wpa_associate.wpa_ie_len" comes from the user. We should
check it so that the copy_from_user() doesn't overflow the buffer.
Also further down in the function, we assume that if
"param->u.wpa_associate.wpa_ie_len" is set then "abyWPAIE" is
initialized. To make that work, I changed the test here to say that if
"wpa_ie_len" is set then "wpa_ie" has to be a valid pointer or we return
Oddly, we only use the first element of the abyWPAIE array. So I
suspect there may be some other issues in this function.
Signed-off-by: Dan Carpenter <email@example.com>
Cc: stable <firstname.lastname@example.org>
Signed-off-by: Greg Kroah-Hartman <email@example.com>
1 file changed