nl80211: fix overflow in ssid_len

author Luciano Coelho <coelho@ti.com>

Tue, 7 Jun 2011 17:42:26 +0000 (20:42 +0300)

committer John W. Linville <linville@tuxdriver.com>

Tue, 7 Jun 2011 18:19:07 +0000 (14:19 -0400)
author Luciano Coelho <coelho@ti.com>
Tue, 7 Jun 2011 17:42:26 +0000 (20:42 +0300)
committer John W. Linville <linville@tuxdriver.com>
Tue, 7 Jun 2011 18:19:07 +0000 (14:19 -0400)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c

index 88a565f130a5a2e2e0f72fca3c204505a810a652..98fa8eb6cc4bec27e6adbf737c3653392da32adc 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3406,11 +3406,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
         i = 0;
         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
-                       request->ssids[i].ssid_len = nla_len(attr);
-                       if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
+                       if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
                                 err = -EINVAL;
                                 goto out_free;
                         }
+                       request->ssids[i].ssid_len = nla_len(attr);
                         memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
                         i++;
                 }
@@ -3572,12 +3572,11 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
         if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
                 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
                                     tmp) {
-                       request->ssids[i].ssid_len = nla_len(attr);
-                       if (request->ssids[i].ssid_len >
-                           IEEE80211_MAX_SSID_LEN) {
+                       if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
                                 err = -EINVAL;
                                 goto out_free;
                         }
+                       request->ssids[i].ssid_len = nla_len(attr);
                         memcpy(request->ssids[i].ssid, nla_data(attr),
                                nla_len(attr));
                         i++;
author	Luciano Coelho <coelho@ti.com>
	Tue, 7 Jun 2011 17:42:26 +0000 (20:42 +0300)
committer	John W. Linville <linville@tuxdriver.com>
	Tue, 7 Jun 2011 18:19:07 +0000 (14:19 -0400)