Google Git
Sign in
linux / linux / kernel / git / klassert / ipsec-next / dd173abfead903c7df54e977535973f3312cd307
commitdd173abfead903c7df54e977535973f3312cd307[log] [tgz]
authorDan Carpenter <error27@gmail.com>Mon Sep 06 14:32:30 2010 +0200
committerGreg Kroah-Hartman <gregkh@suse.de>Mon Sep 20 16:31:54 2010 -0700
tree905398a016da8e714894786c24684fa532cace12
parent350aede603f7db7a9b4c1a340fbe89ccae6523a2 [diff]
Staging: vt6655: fix buffer overflow

"param->u.wpa_associate.wpa_ie_len" comes from the user.  We should
check it so that the copy_from_user() doesn't overflow the buffer.

Also further down in the function, we assume that if
"param->u.wpa_associate.wpa_ie_len" is set then "abyWPAIE[0]" is
initialized.  To make that work, I changed the test here to say that if
"wpa_ie_len" is set then "wpa_ie" has to be a valid pointer or we return
-EINVAL.

Oddly, we only use the first element of the abyWPAIE[] array.  So I
suspect there may be some other issues in this function.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
1 file changed
tree: 905398a016da8e714894786c24684fa532cace12
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. MAINTAINERS
  28. Makefile
  29. README
  30. REPORTING-BUGS