staging: ath6kl: buffer overflow in SEND_FRAME ioctl

We should check that optTxFrmCmd.optIEDataLen isn't too large before we copy it into the data buffer. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Vipin Mehta <vipin.mehta@atheros.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Dan Carpenter <error27@gmail.com> 2011-02-20 15:49:53 +0300
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-02-23 14:00:13 -0800
commit: 5b6567ee84d6e8f7015eaa7d7c4926b4fd81746e (patch)
tree: 92c7ee327f13151e4534e7a68aba02be59ed2612 /drivers
parent: 253804a25b45aad7bf4f63483f7c7b1d14ab49e2 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/staging/ath6kl/os/linux/ioctl.c b/drivers/staging/ath6kl/os/linux/ioctl.c
index 82c7611c2081..4f30b255fc1a 100644
--- a/drivers/staging/ath6kl/os/linux/ioctl.c
+++ b/drivers/staging/ath6kl/os/linux/ioctl.c
@@ -3175,6 +3175,11 @@ int ar6000_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
                 break;
             }
 
+            if (optTxFrmCmd.optIEDataLen > MAX_OPT_DATA_LEN) {
+                ret = -EINVAL;
+                break;
+            }
+
             if (copy_from_user(data, userdata+sizeof(WMI_OPT_TX_FRAME_CMD) - 1,
                                    optTxFrmCmd.optIEDataLen)) {
                 ret = -EFAULT;
author	Dan Carpenter <error27@gmail.com>	2011-02-20 15:49:53 +0300
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-02-23 14:00:13 -0800
commit	5b6567ee84d6e8f7015eaa7d7c4926b4fd81746e (patch)
tree	92c7ee327f13151e4534e7a68aba02be59ed2612 /drivers
parent	253804a25b45aad7bf4f63483f7c7b1d14ab49e2 (diff)