The Coverity checker (CID: 452, 453, 454, 455, 456) spotted this
unlikely read overrun of CIS buffer. Abort if CISTPL_CONFIG or
CISTPL_MANFID would not fit in buffer.
Signed-off-by: Jouni Malinen <[EMAIL PROTECTED]>
Index: wireless-2.6/drivers/net/wireless/hostap/hostap_plx.c
===================================================================
--- wireless-2.6.orig/drivers/net/wireless/hostap/hostap_plx.c
+++ wireless-2.6/drivers/net/wireless/hostap/hostap_plx.c
@@ -368,7 +368,7 @@ static int prism2_plx_check_cis(void __i
switch (cis[pos]) {
case CISTPL_CONFIG:
- if (cis[pos + 1] < 1)
+ if (cis[pos + 1] < 2)
goto cis_error;
rmsz = (cis[pos + 2] & 0x3c) >> 2;
rasz = cis[pos + 2] & 0x03;
@@ -390,7 +390,7 @@ static int prism2_plx_check_cis(void __i
break;
case CISTPL_MANFID:
- if (cis[pos + 1] < 4)
+ if (cis[pos + 1] < 5)
goto cis_error;
manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);
manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);
--
--
Jouni Malinen PGP id EFC895FA
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
