staging: wlan-ng fix buffer overflow in firmware handling

We test for an END marker in the element beyond the current one, this
effectively limits the size of the array to be HFA384x_PDA_LEN_MAX/2 - 1
not HFA384x_PDR_END_OF_PDA/2. This patch fixes a possible buffer
overflow in case there was no END marker.

Signed-off-by: Tillmann Heidsieck <theidsieck@leenox.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/wlan-ng/prism2fw.c b/drivers/staging/wlan-ng/prism2fw.c
index fe36613589ae4c03d01ea6ddeb4f60aac1732a16..d357b7ecb1fcdc88773e62b9e1d0964f4cabf819 100644 (file)
--- a/drivers/staging/wlan-ng/prism2fw.c
+++ b/drivers/staging/wlan-ng/prism2fw.c
@@ -590,7 +590,7 @@ static int mkpdrlist(struct pda *pda)
 
        pda->nrec = 0;
        curroff = 0;
-       while (curroff < (HFA384x_PDA_LEN_MAX / 2) &&
+       while (curroff < (HFA384x_PDA_LEN_MAX / 2 - 1) &&
               le16_to_cpu(pda16[curroff + 1]) != HFA384x_PDR_END_OF_PDA) {
                pda->rec[pda->nrec] = (hfa384x_pdrec_t *) &(pda16[curroff]);
 
@@ -626,7 +626,7 @@ static int mkpdrlist(struct pda *pda)
                curroff += le16_to_cpu(pda16[curroff]) + 1;
 
        }
-       if (curroff >= (HFA384x_PDA_LEN_MAX / 2)) {
+       if (curroff >= (HFA384x_PDA_LEN_MAX / 2 - 1)) {
                pr_err("no end record found or invalid lengths in PDR data, exiting. %x %d\n",
                       curroff, pda->nrec);
                return 1;