PS3: gelic: fix the oops on the broken IE returned from the hypervisor
authorMasakazu Mokuno <mokuno@sm.sony.co.jp>
Mon, 14 Apr 2008 09:07:21 +0000 (18:07 +0900)
committerJohn W. Linville <linville@tuxdriver.com>
Tue, 15 Apr 2008 19:04:36 +0000 (15:04 -0400)
This fixes the bug that the driver would try to over-scan the memory
if the sum of the length field of every IEs does not match the length
returned from the hypervisor.

Signed-off-by: Masakazu Mokuno <mokuno@sm.sony.co.jp>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/ps3_gelic_wireless.c

index ddbc6e4..c16de51 100644 (file)
@@ -512,13 +512,18 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
                 data, len);
        memset(ie_info, 0, sizeof(struct ie_info));
 
-       while (0 < data_left) {
+       while (2 <= data_left) {
                item_id = *pos++;
                item_len = *pos++;
+               data_left -= 2;
+
+               if (data_left < item_len)
+                       break;
 
                switch (item_id) {
                case MFIE_TYPE_GENERIC:
-                       if (!memcmp(pos, wpa_oui, OUI_LEN) &&
+                       if ((OUI_LEN + 1 <= item_len) &&
+                           !memcmp(pos, wpa_oui, OUI_LEN) &&
                            pos[OUI_LEN] == 0x01) {
                                ie_info->wpa.data = pos - 2;
                                ie_info->wpa.len = item_len + 2;
@@ -535,7 +540,7 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
                        break;
                }
                pos += item_len;
-               data_left -= item_len + 2;
+               data_left -= item_len;
        }
        pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__,
                 ie_info->wpa.data, ie_info->wpa.len,