Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3a1c42ad authored by Jouni Malinen's avatar Jouni Malinen Committed by John W. Linville
Browse files

[PATCH] hostap: Fix unlikely read overrun in CIS parsing 



The Coverity checker (CID: 452, 453, 454, 455, 456) spotted this
unlikely read overrun of CIS buffer. Abort if CISTPL_CONFIG or
CISTPL_MANFID would not fit in buffer.

Signed-off-by: default avatarJouni Malinen <jkmaline@cc.hut.fi>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 8abceaf1

drivers/net/wireless/hostap/hostap_plx.c

+2 −2
Original line number Diff line number Diff line
@@ -368,7 +368,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len, 


		switch (cis[pos]) {

		case CISTPL_CONFIG:

			if (cis[pos + 1] < 1)

			if (cis[pos + 1] < 2)

				goto cis_error;

			rmsz = (cis[pos + 2] & 0x3c) >> 2;

			rasz = cis[pos + 2] & 0x03;
@@ -390,7 +390,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len, 
			break;



		case CISTPL_MANFID:

			if (cis[pos + 1] < 4)

			if (cis[pos + 1] < 5)

				goto cis_error;

			manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);

			manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);