forked from Minki/linux
airo: airo_get_encode{,ext} potential buffer overflow
Feeding the return code of get_wep_key directly to the length parameter of memcpy is a bad idea since it could be -1... Reported-by: Eugene Teo <eugeneteo@kernel.sg> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
e1cc1c5780
commit
aedec92268
@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,
|
||||
|
||||
/* Copy the key to the user buffer */
|
||||
dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
|
||||
if (dwrq->length != -1)
|
||||
memcpy(extra, buf, dwrq->length);
|
||||
else
|
||||
dwrq->length = 0;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
|
||||
|
||||
/* Copy the key to the user buffer */
|
||||
ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
|
||||
if (ext->key_len != -1)
|
||||
memcpy(extra, buf, ext->key_len);
|
||||
else
|
||||
ext->key_len = 0;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user