| From dd173abfead903c7df54e977535973f3312cd307 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <error27@gmail.com> |
| Date: Mon, 6 Sep 2010 14:32:30 +0200 |
| Subject: Staging: vt6655: fix buffer overflow |
| |
| From: Dan Carpenter <error27@gmail.com> |
| |
| commit dd173abfead903c7df54e977535973f3312cd307 upstream. |
| |
| "param->u.wpa_associate.wpa_ie_len" comes from the user. We should |
| check it so that the copy_from_user() doesn't overflow the buffer. |
| |
| Also further down in the function, we assume that if |
| "param->u.wpa_associate.wpa_ie_len" is set then "abyWPAIE[0]" is |
| initialized. To make that work, I changed the test here to say that if |
| "wpa_ie_len" is set then "wpa_ie" has to be a valid pointer or we return |
| -EINVAL. |
| |
| Oddly, we only use the first element of the abyWPAIE[] array. So I |
| suspect there may be some other issues in this function. |
| |
| Signed-off-by: Dan Carpenter <error27@gmail.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/staging/vt6655/wpactl.c | 11 ++++++++--- |
| 1 file changed, 8 insertions(+), 3 deletions(-) |
| |
| --- a/drivers/staging/vt6655/wpactl.c |
| +++ b/drivers/staging/vt6655/wpactl.c |
| @@ -767,9 +767,14 @@ static int wpa_set_associate(PSDevice pD |
| DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "wpa_ie_len = %d\n", param->u.wpa_associate.wpa_ie_len); |
| |
| |
| - if (param->u.wpa_associate.wpa_ie && |
| - copy_from_user(&abyWPAIE[0], param->u.wpa_associate.wpa_ie, param->u.wpa_associate.wpa_ie_len)) |
| - return -EINVAL; |
| + if (param->u.wpa_associate.wpa_ie_len) { |
| + if (!param->u.wpa_associate.wpa_ie) |
| + return -EINVAL; |
| + if (param->u.wpa_associate.wpa_ie_len > sizeof(abyWPAIE)) |
| + return -EINVAL; |
| + if (copy_from_user(&abyWPAIE[0], param->u.wpa_associate.wpa_ie, param->u.wpa_associate.wpa_ie_len)) |
| + return -EFAULT; |
| + } |
| |
| if (param->u.wpa_associate.mode == 1) |
| pMgmt->eConfigMode = WMAC_CONFIG_IBSS_STA; |
