OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

staging: wlan-ng fix buffer overflow in firmware handling 

We test for an END marker in the element beyond the current one, this
effectively limits the size of the array to be HFA384x_PDA_LEN_MAX/2 - 1
not HFA384x_PDR_END_OF_PDA/2. This patch fixes a possible buffer
overflow in case there was no END marker.

Signed-off-by: Tillmann Heidsieck <theidsieck@leenox.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Tillmann Heidsieck 2015-09-23 22:07:53 +02:00 committed by Greg Kroah-Hartman
parent 174f264234
commit 4ccb726c72
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/staging/wlan-ng/prism2fw.c
View File

@ -590,7 +590,7 @@ static int mkpdrlist(struct pda *pda)
pda->nrec = 0;
curroff = 0;
while (curroff < (HFA384x_PDA_LEN_MAX / 2) &&
while (curroff < (HFA384x_PDA_LEN_MAX / 2 - 1) &&
le16_to_cpu(pda16[curroff + 1]) != HFA384x_PDR_END_OF_PDA) {
pda->rec[pda->nrec] = (hfa384x_pdrec_t *) &(pda16[curroff]);
@ -626,7 +626,7 @@ static int mkpdrlist(struct pda *pda)
curroff += le16_to_cpu(pda16[curroff]) + 1;
}
if (curroff >= (HFA384x_PDA_LEN_MAX / 2)) {
if (curroff >= (HFA384x_PDA_LEN_MAX / 2 - 1)) {
pr_err("no end record found or invalid lengths in PDR data, exiting. %x %d\n",
curroff, pda->nrec);
return 1;