From: Masakazu Mokuno Date: Mon, 14 Apr 2008 09:07:21 +0000 (+0900) Subject: PS3: gelic: fix the oops on the broken IE returned from the hypervisor X-Git-Tag: v2.6.25~4^2~1^2 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b358492cd2a9c67bff352c5a60d86e7fc9627477;p=linux-2.6 PS3: gelic: fix the oops on the broken IE returned from the hypervisor This fixes the bug that the driver would try to over-scan the memory if the sum of the length field of every IEs does not match the length returned from the hypervisor. Signed-off-by: Masakazu Mokuno Signed-off-by: John W. Linville --- diff --git a/drivers/net/ps3_gelic_wireless.c b/drivers/net/ps3_gelic_wireless.c index ddbc6e475e..c16de5129a 100644 --- a/drivers/net/ps3_gelic_wireless.c +++ b/drivers/net/ps3_gelic_wireless.c @@ -512,13 +512,18 @@ static void gelic_wl_parse_ie(u8 *data, size_t len, data, len); memset(ie_info, 0, sizeof(struct ie_info)); - while (0 < data_left) { + while (2 <= data_left) { item_id = *pos++; item_len = *pos++; + data_left -= 2; + + if (data_left < item_len) + break; switch (item_id) { case MFIE_TYPE_GENERIC: - if (!memcmp(pos, wpa_oui, OUI_LEN) && + if ((OUI_LEN + 1 <= item_len) && + !memcmp(pos, wpa_oui, OUI_LEN) && pos[OUI_LEN] == 0x01) { ie_info->wpa.data = pos - 2; ie_info->wpa.len = item_len + 2; @@ -535,7 +540,7 @@ static void gelic_wl_parse_ie(u8 *data, size_t len, break; } pos += item_len; - data_left -= item_len + 2; + data_left -= item_len; } pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__, ie_info->wpa.data, ie_info->wpa.len,