commit aedec9226809ae9d1972f8f8079fc70206ee7a88 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

airo: airo_get_encode{,ext} potential buffer overflow

Feeding the return code of get_wep_key directly to the length parameter
of memcpy is a bad idea since it could be -1...

Reported-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

John W. Linville 16 years ago aedec922 e1cc1c57

+8 -2

1 changed file

expand all

unified split

drivers

net

wireless

airo.c

+8 -2

drivers/net/wireless/airo.c

··· 6501 6502 /* Copy the key to the user buffer */ 6503 dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf)); 6504 - memcpy(extra, buf, dwrq->length); 6505 6506 return 0; 6507 } ··· 6662 6663 /* Copy the key to the user buffer */ 6664 ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf)); 6665 - memcpy(extra, buf, ext->key_len); 6666 6667 return 0; 6668 }

··· 6501 6502 /* Copy the key to the user buffer */ 6503 dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf)); 6504 + if (dwrq->length != -1) 6505 + memcpy(extra, buf, dwrq->length); 6506 + else 6507 + dwrq->length = 0; 6508 6509 return 0; 6510 } ··· 6659 6660 /* Copy the key to the user buffer */ 6661 ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf)); 6662 + if (ext->key_len != -1) 6663 + memcpy(extra, buf, ext->key_len); 6664 + else 6665 + ext->key_len = 0; 6666 6667 return 0; 6668 }