staging: wlan-ng fix buffer overflow in firmware handling

We test for an END marker in the element beyond the current one, this effectively limits the size of the array to be HFA384x_PDA_LEN_MAX/2 - 1 not HFA384x_PDR_END_OF_PDA/2. This patch fixes a possible buffer overflow in case there was no END marker. Signed-off-by: Tillmann Heidsieck <theidsieck@leenox.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: wlan-ng fix buffer overflow in firmware handling
We test for an END marker in the element beyond the current one, this effectively limits the size of the array to be HFA384x_PDA_LEN_MAX/2 - 1 not HFA384x_PDR_END_OF_PDA/2. This patch fixes a possible buffer overflow in case there was no END marker. Signed-off-by: Tillmann Heidsieck <theidsieck@leenox.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
4ccb726c · Tillmann Heidsieck · Greg Kroah-Hartman · 174f2642 · 4ccb726c
Commit 4ccb726c authored Sep 23, 2015 by Tillmann Heidsieck Committed by Greg Kroah-Hartman Sep 29, 2015
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

drivers/staging/wlan-ng/prism2fw.c drivers/staging/wlan-ng/prism2fw.c +2 -2

No files found.
--- a/drivers/staging/wlan-ng/prism2fw.c
+++ b/drivers/staging/wlan-ng/prism2fw.c
@@ -590,7 +590,7 @@ static int mkpdrlist(struct pda *pda)

 	pda->nrec = 0;
 	curroff = 0;
-	while (curroff < (HFA384x_PDA_LEN_MAX / 2) &&
+	while (curroff < (HFA384x_PDA_LEN_MAX / 2 - 1) &&
 	       le16_to_cpu(pda16[curroff + 1]) != HFA384x_PDR_END_OF_PDA) {
 		pda->rec[pda->nrec] = (hfa384x_pdrec_t *) &(pda16[curroff]);

@@ -626,7 +626,7 @@ static int mkpdrlist(struct pda *pda)
 		curroff += le16_to_cpu(pda16[curroff]) + 1;

 	}
-	if (curroff >= (HFA384x_PDA_LEN_MAX / 2)) {
+	if (curroff >= (HFA384x_PDA_LEN_MAX / 2 - 1)) {
 		pr_err("no end record found or invalid lengths in PDR data, exiting. %x %d\n",
 		       curroff, pda->nrec);
 		return 1;