From 6b7200fe0a59d7bda59e9e028b235b25a137dff9 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 18 Oct 2011 09:27:25 +0300 Subject: Staging: vt6655: memory corruption in check in wpa_set_wpadev() The original code left it up to the user to decide how much data to copy, but that doesn't work with a fixed size array. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman diff --git a/drivers/staging/vt6655/wpactl.c b/drivers/staging/vt6655/wpactl.c index a0f994e..732ba88 100644 --- a/drivers/staging/vt6655/wpactl.c +++ b/drivers/staging/vt6655/wpactl.c @@ -213,7 +213,9 @@ int wpa_set_wpadev(PSDevice pDevice, int val) int uu, ii; - if (param->u.wpa_key.alg_name > WPA_ALG_CCMP) + if (param->u.wpa_key.alg_name > WPA_ALG_CCMP || + param->u.wpa_key.key_len >= MAX_KEY_LEN || + param->u.wpa_key.seq_len >= MAX_KEY_LEN) return -EINVAL; DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "param->u.wpa_key.alg_name = %d \n", param->u.wpa_key.alg_name); -- cgit v0.10.2