Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b358492c authored by Masakazu Mokuno's avatar Masakazu Mokuno Committed by John W. Linville
Browse files

PS3: gelic: fix the oops on the broken IE returned from the hypervisor 



This fixes the bug that the driver would try to over-scan the memory
if the sum of the length field of every IEs does not match the length
returned from the hypervisor.

Signed-off-by: default avatarMasakazu Mokuno <mokuno@sm.sony.co.jp>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent dc4ae1f4

drivers/net/ps3_gelic_wireless.c

+8 −3
Original line number Diff line number Diff line
@@ -512,13 +512,18 @@ static void gelic_wl_parse_ie(u8 *data, size_t len, 
		 data, len);

	memset(ie_info, 0, sizeof(struct ie_info));



	while (0 < data_left) {

	while (2 <= data_left) {

		item_id = *pos++;

		item_len = *pos++;

		data_left -= 2;



		if (data_left < item_len)

			break;



		switch (item_id) {

		case MFIE_TYPE_GENERIC:

			if (!memcmp(pos, wpa_oui, OUI_LEN) &&

			if ((OUI_LEN + 1 <= item_len) &&

			    !memcmp(pos, wpa_oui, OUI_LEN) &&

			    pos[OUI_LEN] == 0x01) {

				ie_info->wpa.data = pos - 2;

				ie_info->wpa.len = item_len + 2;
@@ -535,7 +540,7 @@ static void gelic_wl_parse_ie(u8 *data, size_t len, 
			break;

		}

		pos += item_len;

		data_left -= item_len + 2;

		data_left -= item_len;

	}

	pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__,

		 ie_info->wpa.data, ie_info->wpa.len,