hi all, in drivers/net/wireless/mwifiex/sta_ioctl.c the following functions mwifiex_set_wpa_ie_helper mwifiex_set_wapi_ie mwifiex_set_wps_ie can truncate the incoming ie_len argument from u16 to u8 when it gets stored in mwifiex_private.wpa_ie_len, mwifiex_private.wapi_ie_len and mwifiex_private.wps_ie_len, respectively. based on some light code reading it seems a length value of 256 is valid (IEEE_MAX_IE_SIZE and MWIFIEX_MAX_VSIE_LEN seem to limit it) and thus would get truncated to 0 when stored in those u8 fields. the question is whether this is intentional or a bug somewhere. FTR, this issue was detected with the upcoming version of the size overflow plugin we have in PaX/grsecurity and there're a handful of similar cases in the tree where potentially unwanted or unnecessary integer truncations occur, this being one of these. any opinion/help is welcome! cheers, PaX Team -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
