[PATCH] hostap: Fix unlikely read overrun in CIS parsing
authorJouni Malinen <jkmaline@cc.hut.fi>
Mon, 20 Mar 2006 03:21:47 +0000 (19:21 -0800)
committerJohn W. Linville <linville@tuxdriver.com>
Thu, 23 Mar 2006 21:16:58 +0000 (16:16 -0500)
The Coverity checker (CID: 452, 453, 454, 455, 456) spotted this
unlikely read overrun of CIS buffer. Abort if CISTPL_CONFIG or
CISTPL_MANFID would not fit in buffer.

Signed-off-by: Jouni Malinen <jkmaline@cc.hut.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/hostap/hostap_plx.c

index 94fe2449f0990a43f72a023ed5da2dfb9f6ccc0c..e258517ac85db50af3b774720441254eb1836e36 100644 (file)
@@ -368,7 +368,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
 
                switch (cis[pos]) {
                case CISTPL_CONFIG:
-                       if (cis[pos + 1] < 1)
+                       if (cis[pos + 1] < 2)
                                goto cis_error;
                        rmsz = (cis[pos + 2] & 0x3c) >> 2;
                        rasz = cis[pos + 2] & 0x03;
@@ -390,7 +390,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
                        break;
 
                case CISTPL_MANFID:
-                       if (cis[pos + 1] < 4)
+                       if (cis[pos + 1] < 5)
                                goto cis_error;
                        manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);
                        manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);