Commit b358492c authored by Masakazu Mokuno's avatar Masakazu Mokuno Committed by John W. Linville

PS3: gelic: fix the oops on the broken IE returned from the hypervisor

This fixes the bug that the driver would try to over-scan the memory
if the sum of the length field of every IEs does not match the length
returned from the hypervisor.
Signed-off-by: default avatarMasakazu Mokuno <mokuno@sm.sony.co.jp>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent dc4ae1f4
...@@ -512,13 +512,18 @@ static void gelic_wl_parse_ie(u8 *data, size_t len, ...@@ -512,13 +512,18 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
data, len); data, len);
memset(ie_info, 0, sizeof(struct ie_info)); memset(ie_info, 0, sizeof(struct ie_info));
while (0 < data_left) { while (2 <= data_left) {
item_id = *pos++; item_id = *pos++;
item_len = *pos++; item_len = *pos++;
data_left -= 2;
if (data_left < item_len)
break;
switch (item_id) { switch (item_id) {
case MFIE_TYPE_GENERIC: case MFIE_TYPE_GENERIC:
if (!memcmp(pos, wpa_oui, OUI_LEN) && if ((OUI_LEN + 1 <= item_len) &&
!memcmp(pos, wpa_oui, OUI_LEN) &&
pos[OUI_LEN] == 0x01) { pos[OUI_LEN] == 0x01) {
ie_info->wpa.data = pos - 2; ie_info->wpa.data = pos - 2;
ie_info->wpa.len = item_len + 2; ie_info->wpa.len = item_len + 2;
...@@ -535,7 +540,7 @@ static void gelic_wl_parse_ie(u8 *data, size_t len, ...@@ -535,7 +540,7 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
break; break;
} }
pos += item_len; pos += item_len;
data_left -= item_len + 2; data_left -= item_len;
} }
pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__, pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__,
ie_info->wpa.data, ie_info->wpa.len, ie_info->wpa.data, ie_info->wpa.len,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment