]> git.karo-electronics.de Git - linux-beck.git/commitdiff
projects / linux-beck.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c3c5bb3)
drivers/net/wireless/hostap: Integer overflow
authorWenliang Fan <fanwlexca@gmail.com>
Wed, 18 Dec 2013 05:56:12 +0000 (13:56 +0800)
committerJohn W. Linville <linville@tuxdriver.com>
Fri, 3 Jan 2014 20:36:56 +0000 (15:36 -0500)
The local variable 'value' comes from 'extra', a parameter of function
'prism2_ioctl_priv_prism2_param'. If a large number passed to 'value',
there would be an integer overflow in the following line:
local->passive_scan_timer.expires = jiffies +
local->passive_scan_interval * HZ

Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/hostap/hostap_ioctl.c patch | blob | history

diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c b/drivers/net/wireless/hostap/hostap_ioctl.c
index e5090309824e53c04d1961c0fd6993e80c5aa61e..63e350affc7ed3b11b2928ddb0e634cd57c54d07 100644 (file)
--- a/drivers/net/wireless/hostap/hostap_ioctl.c
+++ b/drivers/net/wireless/hostap/hostap_ioctl.c
@@ -2567,7 +2567,7 @@ static int prism2_ioctl_priv_prism2_param(struct net_device *dev,
                local->passive_scan_interval = value;
                if (timer_pending(&local->passive_scan_timer))
                        del_timer(&local->passive_scan_timer);
-               if (value > 0) {
+               if (value > 0 && value < INT_MAX / HZ) {
                        local->passive_scan_timer.expires = jiffies +
                                local->passive_scan_interval * HZ;
                        add_timer(&local->passive_scan_timer);
Beck SC1x5 Kernel