hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

airo: airo_get_encode{,ext} potential buffer overflow 

Feeding the return code of get_wep_key directly to the length parameter
of memcpy is a bad idea since it could be -1...

Reported-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
John W. Linville 2009-05-04 11:18:57 -04:00
parent e1cc1c5780
commit aedec92268
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/net/wireless/airo.c
View File

@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,
/* Copy the key to the user buffer */
dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
memcpy(extra, buf, dwrq->length);
if (dwrq->length != -1)
memcpy(extra, buf, dwrq->length);
else
dwrq->length = 0;
return 0;
}
@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
/* Copy the key to the user buffer */
ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
memcpy(extra, buf, ext->key_len);
if (ext->key_len != -1)
memcpy(extra, buf, ext->key_len);
else
ext->key_len = 0;
return 0;
}