[PATCH] hostap: Fix unlikely read overrun in CIS parsing The Coverity checker (CID: 452, 453, 454, 455, 456) spotted this unlikely read overrun of CIS buffer. Abort if CISTPL_CONFIG or CISTPL_MANFID would not fit in buffer. Signed-off-by: Jouni Malinen <jkmaline@cc.hut.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: 3a1c42ad98fddab63e62b400ae98e6f609485efc [log] [tgz]
author: Jouni Malinen <jkmaline@cc.hut.fi> Sun Mar 19 19:21:47 2006 -0800
committer: John W. Linville <linville@tuxdriver.com> Thu Mar 23 16:16:58 2006 -0500
tree: 419225b1ff68508e04f08dfb98ca8b21d1e83fef
parent: 8abceaf1cf44b9d95bcc366fa277b33e292141c4 [diff]
diff --git a/drivers/net/wireless/hostap/hostap_plx.c b/drivers/net/wireless/hostap/hostap_plx.c
index 94fe244..e258517 100644
--- a/drivers/net/wireless/hostap/hostap_plx.c
+++ b/drivers/net/wireless/hostap/hostap_plx.c

@@ -368,7 +368,7 @@
 
 		switch (cis[pos]) {
 		case CISTPL_CONFIG:
-			if (cis[pos + 1] < 1)
+			if (cis[pos + 1] < 2)
 				goto cis_error;
 			rmsz = (cis[pos + 2] & 0x3c) >> 2;
 			rasz = cis[pos + 2] & 0x03;
@@ -390,7 +390,7 @@
 			break;
 
 		case CISTPL_MANFID:
-			if (cis[pos + 1] < 4)
+			if (cis[pos + 1] < 5)
 				goto cis_error;
 			manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);
 			manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);
commit	3a1c42ad98fddab63e62b400ae98e6f609485efc	[log] [tgz]
author	Jouni Malinen <jkmaline@cc.hut.fi>	Sun Mar 19 19:21:47 2006 -0800
committer	John W. Linville <linville@tuxdriver.com>	Thu Mar 23 16:16:58 2006 -0500
tree	419225b1ff68508e04f08dfb98ca8b21d1e83fef
parent	8abceaf1cf44b9d95bcc366fa277b33e292141c4 [diff]