Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit dd173abfead903c7df54e977535973f3312cd307

Authored by Dan Carpenter
Committed by Greg Kroah-Hartman
1 parent 350aede603

Staging: vt6655: fix buffer overflow 

"param->u.wpa_associate.wpa_ie_len" comes from the user.  We should
check it so that the copy_from_user() doesn't overflow the buffer.

Also further down in the function, we assume that if
"param->u.wpa_associate.wpa_ie_len" is set then "abyWPAIE[0]" is
initialized.  To make that work, I changed the test here to say that if
"wpa_ie_len" is set then "wpa_ie" has to be a valid pointer or we return
-EINVAL.

Oddly, we only use the first element of the abyWPAIE[] array.  So I
suspect there may be some other issues in this function.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Showing 1 changed file with 8 additions and 3 deletions Side-by-side Diff

drivers/staging/vt6655/wpactl.c
Diff comments   View file @ dd173ab
... ... @@ -766,9 +766,14 @@
766 766 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "wpa_ie_len = %d\n", param->u.wpa_associate.wpa_ie_len);
767 767  
768 768  
769   - if (param->u.wpa_associate.wpa_ie &&
770   - copy_from_user(&abyWPAIE[0], param->u.wpa_associate.wpa_ie, param->u.wpa_associate.wpa_ie_len))
771   - return -EINVAL;
  769 + if (param->u.wpa_associate.wpa_ie_len) {
  770 + if (!param->u.wpa_associate.wpa_ie)
  771 + return -EINVAL;
  772 + if (param->u.wpa_associate.wpa_ie_len > sizeof(abyWPAIE))
  773 + return -EINVAL;
  774 + if (copy_from_user(&abyWPAIE[0], param->u.wpa_associate.wpa_ie, param->u.wpa_associate.wpa_ie_len))
  775 + return -EFAULT;
  776 + }
772 777  
773 778 if (param->u.wpa_associate.mode == 1)
774 779 pMgmt->eConfigMode = WMAC_CONFIG_IBSS_STA;