iwmc3200wifi: add some more range checks

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

My previous patch added a check to get_key() but missed a couple
other places which need range checks.

The problem here is that wifi drivers have different numbers of keys.
The lower levels assume that they can have up to 4 default keys and
2 management keys but this driver only has the default keys so we
could go past the end of the ->keys[] array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by

Dan Carpenter and committed by

John W. Linville 14 years ago 5a5ee76e ec3cbb9c

+13 -2

1 changed file

expand all

drivers

net

wireless

iwmc3200wifi

cfg80211.c

+13 -2

drivers/net/wireless/iwmc3200wifi/cfg80211.c

··· 165 165 struct key_params *params) 166 166 { 167 167 struct iwm_priv *iwm = ndev_to_iwm(ndev); 168 - struct iwm_key *key = &iwm->keys[key_index]; 168 + struct iwm_key *key; 169 169 int ret; 170 170 171 171 IWM_DBG_WEXT(iwm, DBG, "Adding key for %pM\n", mac_addr); 172 172 173 + if (key_index >= IWM_NUM_KEYS) 174 + return -ENOENT; 175 + 176 + key = &iwm->keys[key_index]; 173 177 memset(key, 0, sizeof(struct iwm_key)); 174 178 ret = iwm_key_init(key, key_index, mac_addr, params); 175 179 if (ret < 0) { ··· 218 214 u8 key_index, bool pairwise, const u8 *mac_addr) 219 215 { 220 216 struct iwm_priv *iwm = ndev_to_iwm(ndev); 221 - struct iwm_key *key = &iwm->keys[key_index]; 217 + struct iwm_key *key; 222 218 219 + if (key_index >= IWM_NUM_KEYS) 220 + return -ENOENT; 221 + 222 + key = &iwm->keys[key_index]; 223 223 if (!iwm->keys[key_index].key_len) { 224 224 IWM_DBG_WEXT(iwm, DBG, "Key %d not used\n", key_index); 225 225 return 0; ··· 243 235 struct iwm_priv *iwm = ndev_to_iwm(ndev); 244 236 245 237 IWM_DBG_WEXT(iwm, DBG, "Default key index is: %d\n", key_index); 238 + 239 + if (key_index >= IWM_NUM_KEYS) 240 + return -ENOENT; 246 241 247 242 if (!iwm->keys[key_index].key_len) { 248 243 IWM_ERR(iwm, "Key %d not used\n", key_index);