->u.generic_elem.len is a user controlled number between 0-255. We
should limit it to avoid memory corruption.
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
diff --git a/drivers/staging/vt6655/hostap.c b/drivers/staging/vt6655/hostap.c
index 0dd87d4..73429f4 100644
--- a/drivers/staging/vt6655/hostap.c
+++ b/drivers/staging/vt6655/hostap.c
@@ -341,6 +341,9 @@ static int hostap_set_generic_element(struct vnt_private *pDevice,
{
PSMgmtObject pMgmt = pDevice->pMgmt;
+ if (param->u.generic_elem.len > sizeof(pMgmt->abyWPAIE))
+ return -EINVAL;
+
memcpy(pMgmt->abyWPAIE,
param->u.generic_elem.data,
param->u.generic_elem.len
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
