renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-02 18:54:10 +08:00
Code

airo: airo_get_encode{,ext} potential buffer overflow

Browse Source 
Feeding the return code of get_wep_key directly to the length parameter
of memcpy is a bad idea since it could be -1...

Reported-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
John W. Linville 2009-05-04 11:18:57 -04:00
parent e1cc1c5780
commit aedec92268
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/net/wireless/airo.c
View File

@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,
/* Copy the key to the user buffer */ /* Copy the key to the user buffer */
dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf)); dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
memcpy(extra, buf, dwrq->length); if (dwrq->length != -1)
memcpy(extra, buf, dwrq->length);
else
dwrq->length = 0;
return 0; return 0;
} }
@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
/* Copy the key to the user buffer */ /* Copy the key to the user buffer */
ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf)); ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
memcpy(extra, buf, ext->key_len); if (ext->key_len != -1)
memcpy(extra, buf, ext->key_len);
else
ext->key_len = 0;
return 0; return 0;
} }