Staging: vt6655: add some range checks before memcpy()

There were no range checks in the original code so the user could
write past the end of the array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/vt6655/ioctl.c b/drivers/staging/vt6655/ioctl.c
index 6718cfdd775687cb19b39fe57ff92c1dab264be6..432a20993c6ef2ac3eb855a5dfb5eae4011b8400 100644 (file)
--- a/drivers/staging/vt6655/ioctl.c
+++ b/drivers/staging/vt6655/ioctl.c
@@ -82,6 +82,8 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
                }
 
                pItemSSID = (PWLAN_IE_SSID)sScanCmd.ssid;
+               if (pItemSSID->len > WLAN_SSID_MAXLEN + 1)
+                       return -EINVAL;
                if (pItemSSID->len != 0) {
                        memset(abyScanSSID, 0, WLAN_IEHDR_LEN + WLAN_SSID_MAXLEN + 1);
                        memcpy(abyScanSSID, pItemSSID, pItemSSID->len + WLAN_IEHDR_LEN);
@@ -168,6 +170,8 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
                }
 
                pItemSSID = (PWLAN_IE_SSID)sJoinCmd.ssid;
+               if (pItemSSID->len > WLAN_SSID_MAXLEN + 1)
+                       return -EINVAL;
                memset(pMgmt->abyDesireSSID, 0, WLAN_IEHDR_LEN + WLAN_SSID_MAXLEN + 1);
                memcpy(pMgmt->abyDesireSSID, pItemSSID, pItemSSID->len + WLAN_IEHDR_LEN);
                if (sJoinCmd.wBSSType == ADHOC) {
@@ -490,6 +494,8 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
                }
 
                pItemSSID = (PWLAN_IE_SSID)sStartAPCmd.ssid;
+               if (pItemSSID->len > WLAN_SSID_MAXLEN + 1)
+                       return -EINVAL;
                memset(pMgmt->abyDesireSSID, 0, WLAN_IEHDR_LEN + WLAN_SSID_MAXLEN + 1);
                memcpy(pMgmt->abyDesireSSID, pItemSSID, pItemSSID->len + WLAN_IEHDR_LEN);