[patch] Staging: vt6655: memory corruption in check in wpa_set_wpadev()
Dan Carpenter
dan.carpenter at oracle.com
Tue Oct 18 06:27:25 UTC 2011
The original code left it up to the user to decide how much data to
copy, but that doesn't work with a fixed size array.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/drivers/staging/vt6655/wpactl.c b/drivers/staging/vt6655/wpactl.c
index a0f994e..732ba88 100644
--- a/drivers/staging/vt6655/wpactl.c
+++ b/drivers/staging/vt6655/wpactl.c
@@ -213,7 +213,9 @@ int wpa_set_wpadev(PSDevice pDevice, int val)
int uu, ii;
- if (param->u.wpa_key.alg_name > WPA_ALG_CCMP)
+ if (param->u.wpa_key.alg_name > WPA_ALG_CCMP ||
+ param->u.wpa_key.key_len >= MAX_KEY_LEN ||
+ param->u.wpa_key.seq_len >= MAX_KEY_LEN)
return -EINVAL;
DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "param->u.wpa_key.alg_name = %d \n", param->u.wpa_key.alg_name);
More information about the devel
mailing list