PS3: gelic: fix the oops on the broken IE returned from the hypervisor

This fixes the bug that the driver would try to over-scan the memory if the sum of the length field of every IEs does not match the length returned from the hypervisor. Signed-off-by: Masakazu Mokuno <[email protected]> Signed-off-by: John W. Linville <[email protected]>
tdeneau · Apr 15, 2008 · b358492 · b358492
1 parent dc4ae1f
commit b358492
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/drivers/net/ps3_gelic_wireless.c b/drivers/net/ps3_gelic_wireless.c
@@ -512,13 +512,18 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
 		 data, len);
 	memset(ie_info, 0, sizeof(struct ie_info));
 
-	while (0 < data_left) {
+	while (2 <= data_left) {
 		item_id = *pos++;
 		item_len = *pos++;
+		data_left -= 2;
+
+		if (data_left < item_len)
+			break;
 
 		switch (item_id) {
 		case MFIE_TYPE_GENERIC:
-			if (!memcmp(pos, wpa_oui, OUI_LEN) &&
+			if ((OUI_LEN + 1 <= item_len) &&
+			    !memcmp(pos, wpa_oui, OUI_LEN) &&
 			    pos[OUI_LEN] == 0x01) {
 				ie_info->wpa.data = pos - 2;
 				ie_info->wpa.len = item_len + 2;
@@ -535,7 +540,7 @@ static void gelic_wl_parse_ie(u8 *data, size_t len,
 			break;
 		}
 		pos += item_len;
-		data_left -= item_len + 2;
+		data_left -= item_len;
 	}
 	pr_debug("%s: wpa=%p,%d wpa2=%p,%d\n", __func__,
 		 ie_info->wpa.data, ie_info->wpa.len,