diff options
author | Larry Finger <Larry.Finger@lwfinger.net> | 2011-10-08 19:01:06 (GMT) |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-10-11 16:02:49 (GMT) |
commit | 447ff8865209e48e231de804c47eb4677f2318be (patch) | |
tree | bf6e2b66e8667692df3dad8aa7a248b11a03f01b | |
parent | 8550be08cbed164a8357491cc2c27cb99282b7ff (diff) | |
download | linux-fsl-qoriq-447ff8865209e48e231de804c47eb4677f2318be.tar.xz |
staging: r8712u: Fix possible out-of-bounds index with TKIP and AES keys
Array XGrpKey has only 2 elements and uses (keyid - 1) as the index, which
allows the possibility of memory corruption from an out-of-bounds index.
This problem was reported by a new version of smatch.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/staging/rtl8712/rtl871x_mlme.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c index c475b96..ef8eb6c 100644 --- a/drivers/staging/rtl8712/rtl871x_mlme.c +++ b/drivers/staging/rtl8712/rtl871x_mlme.c @@ -1281,12 +1281,16 @@ sint r8712_set_key(struct _adapter *adapter, psecuritypriv->DefKey[keyid].skey, keylen); break; case _TKIP_: + if (keyid < 1 || keyid > 2) + return _FAIL; keylen = 16; memcpy(psetkeyparm->key, &psecuritypriv->XGrpKey[keyid - 1], keylen); psetkeyparm->grpkey = 1; break; case _AES_: + if (keyid < 1 || keyid > 2) + return _FAIL; keylen = 16; memcpy(psetkeyparm->key, &psecuritypriv->XGrpKey[keyid - 1], keylen); |