airo: Buffer overflow (3d0ccd02) · Commits · e / devices / android_kernel_oneplus_sm8150

drivers/net/wireless/airo.c

+6 −7

Original line number	Original line	Diff line number	Diff line
	@@ -5922,16 +5922,15 @@ static int airo_set_essid(struct net_device *dev,
	/* Just send an empty SSID list */		/* Just send an empty SSID list */
	memset(&SSID_rid, 0, sizeof(SSID_rid));		memset(&SSID_rid, 0, sizeof(SSID_rid));
	} else {		} else {
	int index = (dwrq->flags & IW_ENCODE_INDEX) - 1;		unsigned index = (dwrq->flags & IW_ENCODE_INDEX) - 1;

	/* Check the size of the string */		/* Check the size of the string */
	if(dwrq->length > IW_ESSID_MAX_SIZE) {		if (dwrq->length > IW_ESSID_MAX_SIZE)
	return -E2BIG ;		return -E2BIG ;
	}
	/* Check if index is valid */		/* Check if index is valid */
	if((index < 0) \|\| (index >= 4)) {		if (index >= ARRAY_SIZE(SSID_rid.ssids))
	return -EINVAL;		return -EINVAL;
	}

	/* Set the SSID */		/* Set the SSID */
	memset(SSID_rid.ssids[index].ssid, 0,		memset(SSID_rid.ssids[index].ssid, 0,
	@@ -6819,7 +6818,7 @@ static int airo_set_txpow(struct net_device *dev,
	return -EINVAL;		return -EINVAL;
	}		}
	clear_bit (FLAG_RADIO_OFF, &local->flags);		clear_bit (FLAG_RADIO_OFF, &local->flags);
	for (i = 0; cap_rid.txPowerLevels[i] && (i < 8); i++)		for (i = 0; i < 8 && cap_rid.txPowerLevels[i]; i++)
	if (v == cap_rid.txPowerLevels[i]) {		if (v == cap_rid.txPowerLevels[i]) {
	readConfigRid(local, 1);		readConfigRid(local, 1);
	local->config.txPower = v;		local->config.txPower = v;