Commit aedec922 authored by John W. Linville's avatar John W. Linville

airo: airo_get_encode{,ext} potential buffer overflow

Feeding the return code of get_wep_key directly to the length parameter
of memcpy is a bad idea since it could be -1...
Reported-by: default avatarEugene Teo <eugeneteo@kernel.sg>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent e1cc1c57
......@@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,
/* Copy the key to the user buffer */
dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
if (dwrq->length != -1)
memcpy(extra, buf, dwrq->length);
else
dwrq->length = 0;
return 0;
}
......@@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
/* Copy the key to the user buffer */
ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
if (ext->key_len != -1)
memcpy(extra, buf, ext->key_len);
else
ext->key_len = 0;
return 0;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment