airo: airo_get_encode{,ext} potential buffer overflow

Feeding the return code of get_wep_key directly to the length parameter
of memcpy is a bad idea since it could be -1...

Reported-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
John W. Linville 2009-05-04 11:18:57 -04:00
parent e1cc1c5780
commit aedec92268

View File

@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,
/* Copy the key to the user buffer */
dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
if (dwrq->length != -1)
memcpy(extra, buf, dwrq->length);
else
dwrq->length = 0;
return 0;
}
@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
/* Copy the key to the user buffer */
ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
if (ext->key_len != -1)
memcpy(extra, buf, ext->key_len);
else
ext->key_len = 0;
return 0;
}