summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/cw1200/debug.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/drivers/net/wireless/cw1200/debug.c b/drivers/net/wireless/cw1200/debug.c
index eb40c9c61a5..1596b7042cb 100644
--- a/drivers/net/wireless/cw1200/debug.c
+++ b/drivers/net/wireless/cw1200/debug.c
@@ -397,13 +397,13 @@ struct etf_req_msg;
static int etf_request(struct cw1200_common *priv,
struct etf_req_msg *msg, u32 len);
-#define MAX_RX_SZE 2600
+#define MAX_RX_SIZE 2600
struct etf_in_state {
struct cw1200_common *priv;
- u32 total_len;
- u8 buf[MAX_RX_SZE];
- u32 written;
+ u16 total_len;
+ u16 written;
+ u8 buf[MAX_RX_SIZE];
};
static int cw1200_etf_in_open(struct inode *inode, struct file *file)
@@ -448,6 +448,11 @@ static ssize_t cw1200_etf_in_write(struct file *file,
return -EFAULT;
}
+ if (etf->total_len > MAX_RX_SIZE) {
+ pr_err("requested length > MAX_RX_SIZE\n");
+ return -EINVAL;
+ }
+
written += sizeof(etf->total_len);
count -= sizeof(etf->total_len);
}
@@ -455,6 +460,11 @@ static ssize_t cw1200_etf_in_write(struct file *file,
if (!count)
goto done;
+ if (count > (etf->total_len - written)) {
+ pr_err("Tried to write > MAX_RX_SIZE\n");
+ return -EINVAL;
+ }
+
if (copy_from_user(etf->buf + etf->written, user_buf + written,
count)) {
pr_err("copy_from_user (payload %zu) failed\n", count);