Staging: vt6655: add some range checks before memcpy()

There were no range checks in the original code so the user could write past the end of the array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
git-mirror · Oct 23, 2011 · 0c849b3 · 0c849b3
1 parent 0d3eb2b
commit 0c849b3
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/drivers/staging/vt6655/ioctl.c b/drivers/staging/vt6655/ioctl.c
@@ -82,6 +82,8 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
 		}
 
 		pItemSSID = (PWLAN_IE_SSID)sScanCmd.ssid;
+		if (pItemSSID->len > WLAN_SSID_MAXLEN + 1)
+			return -EINVAL;
 		if (pItemSSID->len != 0) {
 			memset(abyScanSSID, 0, WLAN_IEHDR_LEN + WLAN_SSID_MAXLEN + 1);
 			memcpy(abyScanSSID, pItemSSID, pItemSSID->len + WLAN_IEHDR_LEN);
@@ -168,6 +170,8 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
 		}
 
 		pItemSSID = (PWLAN_IE_SSID)sJoinCmd.ssid;
+		if (pItemSSID->len > WLAN_SSID_MAXLEN + 1)
+			return -EINVAL;
 		memset(pMgmt->abyDesireSSID, 0, WLAN_IEHDR_LEN + WLAN_SSID_MAXLEN + 1);
 		memcpy(pMgmt->abyDesireSSID, pItemSSID, pItemSSID->len + WLAN_IEHDR_LEN);
 		if (sJoinCmd.wBSSType == ADHOC) {
@@ -490,6 +494,8 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
 		}
 
 		pItemSSID = (PWLAN_IE_SSID)sStartAPCmd.ssid;
+		if (pItemSSID->len > WLAN_SSID_MAXLEN + 1)
+			return -EINVAL;
 		memset(pMgmt->abyDesireSSID, 0, WLAN_IEHDR_LEN + WLAN_SSID_MAXLEN + 1);
 		memcpy(pMgmt->abyDesireSSID, pItemSSID, pItemSSID->len + WLAN_IEHDR_LEN);