iwmc3200wifi: add a range check to iwm_cfg80211_get_key()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 12 Oct 2011 08:10:37 +0000 (11:10 +0300)
committerJohn W. Linville <linville@tuxdriver.com>
Fri, 14 Oct 2011 18:48:15 +0000 (14:48 -0400)
Smatch complains that "key_index" is capped at 5 in nl80211_get_key()
but iwm->keys[] only has 4 elements.  I don't know if this is really
needed, but the other ->get_key() implementations seemed to check
for overflows so I've added a check here.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/iwmc3200wifi/cfg80211.c

index ed57e44028009e0b6dd515169416caa4d213029b..c42be81e979ebd700742154922acce4fcb6acde7 100644 (file)
@@ -187,13 +187,17 @@ static int iwm_cfg80211_get_key(struct wiphy *wiphy, struct net_device *ndev,
                                                 struct key_params*))
 {
        struct iwm_priv *iwm = ndev_to_iwm(ndev);
-       struct iwm_key *key = &iwm->keys[key_index];
+       struct iwm_key *key;
        struct key_params params;
 
        IWM_DBG_WEXT(iwm, DBG, "Getting key %d\n", key_index);
 
+       if (key_index >= IWM_NUM_KEYS)
+               return -ENOENT;
+
        memset(&params, 0, sizeof(params));
 
+       key = &iwm->keys[key_index];
        params.cipher = key->cipher;
        params.key_len = key->key_len;
        params.seq_len = key->seq_len;