staging: vt6655: buffer overflow in ioctl

->u.generic_elem.len is a user controlled number between 0-255. We should limit it to avoid memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: vt6655: buffer overflow in ioctl
->u.generic_elem.len is a user controlled number between 0-255. We should limit it to avoid memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ed87c2b2 · Dan Carpenter · Greg Kroah-Hartman · 922b83b4 · ed87c2b2
Commit ed87c2b2 authored Sep 19, 2014 by Dan Carpenter Committed by Greg Kroah-Hartman Sep 19, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

drivers/staging/vt6655/hostap.c drivers/staging/vt6655/hostap.c +3 -0

No files found.
--- a/drivers/staging/vt6655/hostap.c
+++ b/drivers/staging/vt6655/hostap.c
@@ -350,6 +350,9 @@ static int hostap_set_generic_element(PSDevice pDevice,
 {
 	PSMgmtObject    pMgmt = pDevice->pMgmt;

+	if (param->u.generic_elem.len > sizeof(pMgmt->abyWPAIE))
+		return -EINVAL;
+
 	memcpy(pMgmt->abyWPAIE,
 	       param->u.generic_elem.data,
 	       param->u.generic_elem.len