提交 2fb40577 编写于 作者: D Dan Carpenter 提交者: John W. Linville

wl3501_cs: min_t() cast truncates high bits

wrqu->encoding.length comes from the network administrator.  It's
size u16.  We want to limit "tocopy" to the smallest value of either
"len_keys", "wrqu->encoding.length" or 100.  But because .length
gets cast from u16 to u8 we might use a random, smaller value than
the was desired.  It's probably not very serious, but we may as well
fix it.

Btw, this is from code auditing and not from testing.  I don't know
if this affects anyone in real life.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 f6f3def3
......@@ -1781,7 +1781,7 @@ static int wl3501_get_encode(struct net_device *dev,
keys, len_keys);
if (rc)
goto out;
tocopy = min_t(u8, len_keys, wrqu->encoding.length);
tocopy = min_t(u16, len_keys, wrqu->encoding.length);
tocopy = min_t(u8, tocopy, 100);
wrqu->encoding.length = tocopy;
memcpy(extra, keys, tocopy);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册