From 115e222d538e7838bffa0f76409acd9816a0ef32 Mon Sep 17 00:00:00 2001 From: Pavel Roskin Date: Tue, 24 Oct 2006 22:41:27 -0400 Subject: [PATCH] hostap_plx: fix CIS verification The length of the manfid CIS should be at least 4, and it's normally 4. It's incorrect to require it to be at least 5. This breaks support for most (if not all) cards. The right place to ensure that we don't access beyond the CIS buffer is to strengthen another check. Make sure that the next tuple begins at least at the CIS buffer end (in which case we stop processing) or before that. Reported by ph35sm@free.fr Signed-off-by: Pavel Roskin Signed-off-by: John W. Linville --- drivers/net/wireless/hostap/hostap_plx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/net/wireless/hostap/hostap_plx.c') diff --git a/drivers/net/wireless/hostap/hostap_plx.c b/drivers/net/wireless/hostap/hostap_plx.c index 6dfa041be66d..bc81b13a5a2a 100644 --- a/drivers/net/wireless/hostap/hostap_plx.c +++ b/drivers/net/wireless/hostap/hostap_plx.c @@ -364,7 +364,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len, pos = 0; while (pos < CIS_MAX_LEN - 1 && cis[pos] != CISTPL_END) { - if (pos + cis[pos + 1] >= CIS_MAX_LEN) + if (pos + 2 + cis[pos + 1] > CIS_MAX_LEN) goto cis_error; switch (cis[pos]) { @@ -391,7 +391,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len, break; case CISTPL_MANFID: - if (cis[pos + 1] < 5) + if (cis[pos + 1] < 4) goto cis_error; manfid1 = cis[pos + 2] + (cis[pos + 3] << 8); manfid2 = cis[pos + 4] + (cis[pos + 5] << 8); -- cgit v1.2.3 From b0471bb7b779f5deea109e5bfdfe8c18d4a06241 Mon Sep 17 00:00:00 2001 From: Yan Burman Date: Sat, 2 Dec 2006 13:33:40 +0200 Subject: [PATCH] hostap: replace kmalloc+memset with kzalloc Replace kmalloc+memset with kzalloc Signed-off-by: Yan Burman Signed-off-by: John W. Linville --- drivers/net/wireless/hostap/hostap_plx.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'drivers/net/wireless/hostap/hostap_plx.c') diff --git a/drivers/net/wireless/hostap/hostap_plx.c b/drivers/net/wireless/hostap/hostap_plx.c index bc81b13a5a2a..e235e0647897 100644 --- a/drivers/net/wireless/hostap/hostap_plx.c +++ b/drivers/net/wireless/hostap/hostap_plx.c @@ -447,10 +447,9 @@ static int prism2_plx_probe(struct pci_dev *pdev, int tmd7160; struct hostap_plx_priv *hw_priv; - hw_priv = kmalloc(sizeof(*hw_priv), GFP_KERNEL); + hw_priv = kzalloc(sizeof(*hw_priv), GFP_KERNEL); if (hw_priv == NULL) return -ENOMEM; - memset(hw_priv, 0, sizeof(*hw_priv)); if (pci_enable_device(pdev)) goto err_out_free; -- cgit v1.2.3