[PATCH 501/961] staging: ath6kl: buffer overflow in SEND_FRAME ioctl

[Greg Kroah-Hartman <gregkh@xxxxxxx>]

From: Dan Carpenter <error27@xxxxxxxxx>

We should check that optTxFrmCmd.optIEDataLen isn't too large before we
copy it into the data buffer.

Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
Acked-by: Vipin Mehta <vipin.mehta@xxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
 drivers/staging/ath6kl/os/linux/ioctl.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/drivers/staging/ath6kl/os/linux/ioctl.c b/drivers/staging/ath6kl/os/linux/ioctl.c
index 82c7611..4f30b25 100644
--- a/drivers/staging/ath6kl/os/linux/ioctl.c
+++ b/drivers/staging/ath6kl/os/linux/ioctl.c
@@ -3175,6 +3175,11 @@ int ar6000_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
                 break;
             }
 
+            if (optTxFrmCmd.optIEDataLen > MAX_OPT_DATA_LEN) {
+                ret = -EINVAL;
+                break;
+            }
+
             if (copy_from_user(data, userdata+sizeof(WMI_OPT_TX_FRAME_CMD) - 1,
                                    optTxFrmCmd.optIEDataLen)) {
                 ret = -EFAULT;
-- 
1.7.4.1

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel