summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn W. Linville <linville@tuxdriver.com>2009-05-20 10:51:41 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-05-20 14:29:54 -0400
commit267d493b322b05984048aef8ea9b5b213490bbe0 (patch)
tree167d6c2615990375e5a3af682f7bc3431f5851b5
parent875690c378d64d9ee2de15cad8206d3f11ae5096 (diff)
airo: fix airo_get_encode{,ext} buffer overflow like I mean it...
"airo: airo_get_encode{,ext} potential buffer overflow" was actually a no-op, due to an unrecognized type overflow in an assignment. Oddly, gcc only seems to tell me about it when using -Wextra...grrr... Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/airo.c23
1 files changed, 14 insertions, 9 deletions
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
index d73475739127..9eabf4d1f2e7 100644
--- a/drivers/net/wireless/airo.c
+++ b/drivers/net/wireless/airo.c
@@ -6467,6 +6467,7 @@ static int airo_get_encode(struct net_device *dev,
{
struct airo_info *local = dev->ml_priv;
int index = (dwrq->flags & IW_ENCODE_INDEX) - 1;
+ int wep_key_len;
u8 buf[16];
if (!local->wep_capable)
@@ -6500,11 +6501,13 @@ static int airo_get_encode(struct net_device *dev,
dwrq->flags |= index + 1;
/* Copy the key to the user buffer */
- dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));
- if (dwrq->length != -1)
- memcpy(extra, buf, dwrq->length);
- else
+ wep_key_len = get_wep_key(local, index, &buf[0], sizeof(buf));
+ if (wep_key_len < 0) {
dwrq->length = 0;
+ } else {
+ dwrq->length = wep_key_len;
+ memcpy(extra, buf, dwrq->length);
+ }
return 0;
}
@@ -6617,7 +6620,7 @@ static int airo_get_encodeext(struct net_device *dev,
struct airo_info *local = dev->ml_priv;
struct iw_point *encoding = &wrqu->encoding;
struct iw_encode_ext *ext = (struct iw_encode_ext *)extra;
- int idx, max_key_len;
+ int idx, max_key_len, wep_key_len;
u8 buf[16];
if (!local->wep_capable)
@@ -6661,11 +6664,13 @@ static int airo_get_encodeext(struct net_device *dev,
memset(extra, 0, 16);
/* Copy the key to the user buffer */
- ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
- if (ext->key_len != -1)
- memcpy(extra, buf, ext->key_len);
- else
+ wep_key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));
+ if (wep_key_len < 0) {
ext->key_len = 0;
+ } else {
+ ext->key_len = wep_key_len;
+ memcpy(extra, buf, ext->key_len);
+ }
return 0;
}