[PATCH] iwlwifi: fix oops on wep key insertion

Joonwoo Park <joonwpark81@xxxxxxxxx> · Mon, 26 May 2008 22:13:34 -0700

Fix overflow which is occured by long wep key configuring.
Also, this patch contains some cleanup for not to do memcpy with
zero size.

$sudo iwconfig wlan0 enc AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA

BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
IP: [memcpy_c+0xb/0x20] memcpy_c+0xb/0x20
PGD 13a590067 PUD 12e471067 PMD 0
Oops: 0000 [1] PREEMPT SMP
CPU 1
...
Pid: 10, comm: events/1 Not tainted 2.6.26-rc2 #9
...
Call Trace:
 [iwl4965:iwl4965_rx_scan_start_notif+0xb/0x20] ? :iwl4965:iwl4965_enqueue_hcmd+0x12b/0x220
 [hci_usb:init_module+0xe97/0x28cb0] :iwlcore:iwl_send_cmd_sync+0x67/0x290
 [save_trace+0x3f/0xb0] ? save_trace+0x3f/0xb0
...

Signed-off-by: Joonwoo Park <joonwpark81@xxxxxxxxx>
---
 drivers/net/wireless/iwlwifi/iwl-sta.c |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/iwlwifi/iwl-sta.c b/drivers/net/wireless/iwlwifi/iwl-sta.c
index e4fdfaa..c3dd138 100644
--- a/drivers/net/wireless/iwlwifi/iwl-sta.c
+++ b/drivers/net/wireless/iwlwifi/iwl-sta.c
@@ -51,7 +51,7 @@ int iwl_get_free_ucode_key_index(struct iwl_priv *priv)
 
 int iwl_send_static_wepkey_cmd(struct iwl_priv *priv, u8 send_if_empty)
 {
-	int i, not_empty = 0;
+	int i, left, not_empty = 0;
 	u8 buff[sizeof(struct iwl_wep_cmd) +
 		sizeof(struct iwl_wep_key) * WEP_KEYS_MAX];
 	struct iwl_wep_cmd *wep_cmd = (struct iwl_wep_cmd *)buff;
@@ -67,16 +67,20 @@ int iwl_send_static_wepkey_cmd(struct iwl_priv *priv, u8 send_if_empty)
 
 	for (i = 0; i < WEP_KEYS_MAX ; i++) {
 		wep_cmd->key[i].key_index = i;
-		if (priv->wep_keys[i].key_size) {
+		wep_cmd->key[i].key_size = priv->wep_keys[i].key_size;
+		left = sizeof(wep_cmd->key[i].key)
+			- sizeof(wep_cmd->key[i].key[0]) * 3;
+		BUG_ON(left < 0);
+
+		if (wep_cmd->key[i].key_size
+		    && left >= wep_cmd->key[i].key_size) {
 			wep_cmd->key[i].key_offset = i;
 			not_empty = 1;
+			memcpy(&wep_cmd->key[i].key[3], priv->wep_keys[i].key,
+				wep_cmd->key[i].key_size);
 		} else {
 			wep_cmd->key[i].key_offset = WEP_INVALID_OFFSET;
 		}
-
-		wep_cmd->key[i].key_size = priv->wep_keys[i].key_size;
-		memcpy(&wep_cmd->key[i].key[3], priv->wep_keys[i].key,
-				priv->wep_keys[i].key_size);
 	}
 
 	wep_cmd->global_key_type = WEP_KEY_WEP_TYPE;
-- 
1.5.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




