Página inicial Explorar Ajuda
Registrar Entrar
phyus
/
linux-vybrid_public
8
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

airo: airo_get_encode{,ext} potential buffer overflow

Feeding the return code of get_wep_key directly to the length parameter
of memcpy is a bad idea since it could be -1...

Reported-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville 16 anos atrás
pai
e1cc1c5780
commit
aedec92268
1 arquivos alterados com 8 adições e 2 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 8 2
      drivers/net/wireless/airo.c

+ 8 - 2
drivers/net/wireless/airo.c
Ver arquivo 

@@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,
 
 
 	/* Copy the key to the user buffer */
 
 	dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
 
-	memcpy(extra, buf, dwrq->length);
 
+	if (dwrq->length != -1)
 
+		memcpy(extra, buf, dwrq->length);
 
+	else
 
+		dwrq->length = 0;
 
 
 	return 0;
 
 }
 
@@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
 
 	
 	/* Copy the key to the user buffer */
 
 	ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
 
-	memcpy(extra, buf, ext->key_len);
 
+	if (ext->key_len != -1)
 
+		memcpy(extra, buf, ext->key_len);
 
+	else
 
+		ext->key_len = 0;
 
 
 	return 0;
 
 }