summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorMichael Buesch <mb@bu3sch.de>2007-12-27 22:15:11 +0100
committerDavid S. Miller <davem@davemloft.net>2008-01-28 15:09:46 -0800
commit47f76ca3a34cd6571a2de39da2926123ca39a4c1 (patch)
treef9924200068ff173a23f811b3dcee565a3fccbea /drivers
parent280d0e16bcbf5893505a0d0897f3ca1ddc0764fa (diff)
downloadlinux-47f76ca3a34cd6571a2de39da2926123ca39a4c1.tar.gz
linux-47f76ca3a34cd6571a2de39da2926123ca39a4c1.tar.bz2
linux-47f76ca3a34cd6571a2de39da2926123ca39a4c1.zip
b43: Fix tim search buffer overrun
Use the length of the variable section of the beacon instead of the whole beacon length for bounds checking. Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/b43/main.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
index 345ac3862e11..a15a45b789b1 100644
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -1163,7 +1163,7 @@ static void b43_write_beacon_template(struct b43_wldev *dev,
u16 ram_offset,
u16 shm_size_offset, u8 rate)
{
- int i, len;
+ unsigned int i, len, variable_len;
const struct ieee80211_mgmt *bcn;
const u8 *ie;
bool tim_found = 0;
@@ -1178,7 +1178,8 @@ static void b43_write_beacon_template(struct b43_wldev *dev,
/* Find the position of the TIM and the DTIM_period value
* and write them to SHM. */
ie = bcn->u.beacon.variable;
- for (i = 0; i < len - 2; ) {
+ variable_len = len - offsetof(struct ieee80211_mgmt, u.beacon.variable);
+ for (i = 0; i < variable_len - 2; ) {
uint8_t ie_id, ie_len;
ie_id = ie[i];
@@ -1189,7 +1190,7 @@ static void b43_write_beacon_template(struct b43_wldev *dev,
/* This is the TIM Information Element */
/* Check whether the ie_len is in the beacon data range. */
- if (len < ie_len + 2 + i)
+ if (variable_len < ie_len + 2 + i)
break;
/* A valid TIM is at least 4 bytes long. */
if (ie_len < 4)