summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLarry Finger <Larry.Finger@lwfinger.net>2011-10-08 19:01:06 (GMT)
committerGreg Kroah-Hartman <gregkh@suse.de>2011-10-11 16:02:49 (GMT)
commit447ff8865209e48e231de804c47eb4677f2318be (patch)
treebf6e2b66e8667692df3dad8aa7a248b11a03f01b
parent8550be08cbed164a8357491cc2c27cb99282b7ff (diff)
downloadlinux-fsl-qoriq-447ff8865209e48e231de804c47eb4677f2318be.tar.xz
staging: r8712u: Fix possible out-of-bounds index with TKIP and AES keys
Array XGrpKey has only 2 elements and uses (keyid - 1) as the index, which allows the possibility of memory corruption from an out-of-bounds index. This problem was reported by a new version of smatch. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/staging/rtl8712/rtl871x_mlme.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c
index c475b96..ef8eb6c 100644
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1281,12 +1281,16 @@ sint r8712_set_key(struct _adapter *adapter,
psecuritypriv->DefKey[keyid].skey, keylen);
break;
case _TKIP_:
+ if (keyid < 1 || keyid > 2)
+ return _FAIL;
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
case _AES_:
+ if (keyid < 1 || keyid > 2)
+ return _FAIL;
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);