airo: airo_get_encode{,ext} potential buffer overflow

author John W. Linville <linville@tuxdriver.com>

Mon, 4 May 2009 15:18:57 +0000 (11:18 -0400)

committer John W. Linville <linville@tuxdriver.com>

Mon, 11 May 2009 19:07:01 +0000 (15:07 -0400)
author John W. Linville <linville@tuxdriver.com>
Mon, 4 May 2009 15:18:57 +0000 (11:18 -0400)
committer John W. Linville <linville@tuxdriver.com>
Mon, 11 May 2009 19:07:01 +0000 (15:07 -0400)
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c

index c36d3a3d655ff463c53501505638ef0aacfe019f..d734757391270be2b549a89376df0ccb38bb66bf 100644 (file)
--- a/drivers/net/wireless/airo.c
+++ b/drivers/net/wireless/airo.c
@@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev,
  
         /* Copy the key to the user buffer */
         dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
-       memcpy(extra, buf, dwrq->length);
+       if (dwrq->length != -1)
+               memcpy(extra, buf, dwrq->length);
+       else
+               dwrq->length = 0;
  
         return 0;
  }
@@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev,
         
         /* Copy the key to the user buffer */
         ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
-       memcpy(extra, buf, ext->key_len);
+       if (ext->key_len != -1)
+               memcpy(extra, buf, ext->key_len);
+       else
+               ext->key_len = 0;
  
         return 0;
  }
author	John W. Linville <linville@tuxdriver.com>
	Mon, 4 May 2009 15:18:57 +0000 (11:18 -0400)
committer	John W. Linville <linville@tuxdriver.com>
	Mon, 11 May 2009 19:07:01 +0000 (15:07 -0400)