airo: airo_get_encode{,ext} potential buffer overflow

Feeding the return code of get_wep_key directly to the length parameter of memcpy is a bad idea since it could be -1... Reported-by: N Eugene Teo <eugeneteo@kernel.sg> Signed-off-by: N John W. Linville <linville@tuxdriver.com>

airo: airo_get_encode{,ext} potential buffer overflow
Feeding the return code of get_wep_key directly to the length parameter of memcpy is a bad idea since it could be -1... Reported-by: N Eugene Teo <eugeneteo@kernel.sg> Signed-off-by: N John W. Linville <linville@tuxdriver.com>
aedec922 · John W. Linville · e1cc1c57 · aedec922
隐藏空白更改
内联并排

Showing with 8 addition and 2 deletion

drivers/net/wireless/airo.c drivers/net/wireless/airo.c +8 -2

未找到文件。
--- a/drivers/net/wireless/airo.c
+++ b/drivers/net/wireless/airo.c
@@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,

 	/* Copy the key to the user buffer */
 	dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
-	memcpy(extra, buf, dwrq->length);
+	if (dwrq->length != -1)
+		memcpy(extra, buf, dwrq->length);
+	else
+		dwrq->length = 0;

 	return 0;
 }
@@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
 	
 	/* Copy the key to the user buffer */
 	ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
-	memcpy(extra, buf, ext->key_len);
+	if (ext->key_len != -1)
+		memcpy(extra, buf, ext->key_len);
+	else
+		ext->key_len = 0;

 	return 0;
 }