diff options
author | Eliad Peller <eliad@wizery.com> | 2011-05-01 09:56:45 +0300 |
---|---|---|
committer | Luciano Coelho <coelho@ti.com> | 2011-05-13 00:06:31 +0300 |
commit | 889cb360b4f48c1334311093161f06f7b4bd77d2 (patch) | |
tree | 601cf1594b60dde7755260a67d276fc9e8a8b04a | |
parent | 6b86bd62a505a4a9739474f00f8088395b7a80ba (diff) | |
download | lwn-889cb360b4f48c1334311093161f06f7b4bd77d2.tar.gz lwn-889cb360b4f48c1334311093161f06f7b4bd77d2.zip |
wl12xx: simplify wl1271_ssid_set()
Simplify wl1271_ssid_set by re-using cfg80211_find_ie instead of
reimplementing it.
Additionally, add a length check to prevent a potential buffer overflow.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
-rw-r--r-- | drivers/net/wireless/wl12xx/main.c | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/drivers/net/wireless/wl12xx/main.c b/drivers/net/wireless/wl12xx/main.c index 6dab6f0c91bc..f82e736ba197 100644 --- a/drivers/net/wireless/wl12xx/main.c +++ b/drivers/net/wireless/wl12xx/main.c @@ -2376,20 +2376,24 @@ out: static int wl1271_ssid_set(struct wl1271 *wl, struct sk_buff *skb, int offset) { - u8 *ptr = skb->data + offset; + u8 ssid_len; + const u8 *ptr = cfg80211_find_ie(WLAN_EID_SSID, skb->data + offset, + skb->len - offset); - /* find the location of the ssid in the beacon */ - while (ptr < skb->data + skb->len) { - if (ptr[0] == WLAN_EID_SSID) { - wl->ssid_len = ptr[1]; - memcpy(wl->ssid, ptr+2, wl->ssid_len); - return 0; - } - ptr += (ptr[1] + 2); + if (!ptr) { + wl1271_error("No SSID in IEs!"); + return -ENOENT; } - wl1271_error("No SSID in IEs!\n"); - return -ENOENT; + ssid_len = ptr[1]; + if (ssid_len > IEEE80211_MAX_SSID_LEN) { + wl1271_error("SSID is too long!"); + return -EINVAL; + } + + wl->ssid_len = ssid_len; + memcpy(wl->ssid, ptr+2, ssid_len); + return 0; } static int wl1271_bss_erp_info_changed(struct wl1271 *wl, |