提交 3a1c42ad 编写于 作者: J Jouni Malinen 提交者: John W. Linville

[PATCH] hostap: Fix unlikely read overrun in CIS parsing

The Coverity checker (CID: 452, 453, 454, 455, 456) spotted this
unlikely read overrun of CIS buffer. Abort if CISTPL_CONFIG or
CISTPL_MANFID would not fit in buffer.
Signed-off-by: NJouni Malinen <jkmaline@cc.hut.fi>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 8abceaf1
...@@ -368,7 +368,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len, ...@@ -368,7 +368,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
switch (cis[pos]) { switch (cis[pos]) {
case CISTPL_CONFIG: case CISTPL_CONFIG:
if (cis[pos + 1] < 1) if (cis[pos + 1] < 2)
goto cis_error; goto cis_error;
rmsz = (cis[pos + 2] & 0x3c) >> 2; rmsz = (cis[pos + 2] & 0x3c) >> 2;
rasz = cis[pos + 2] & 0x03; rasz = cis[pos + 2] & 0x03;
...@@ -390,7 +390,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len, ...@@ -390,7 +390,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
break; break;
case CISTPL_MANFID: case CISTPL_MANFID:
if (cis[pos + 1] < 4) if (cis[pos + 1] < 5)
goto cis_error; goto cis_error;
manfid1 = cis[pos + 2] + (cis[pos + 3] << 8); manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);
manfid2 = cis[pos + 4] + (cis[pos + 5] << 8); manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册