Commit 412e9e78 authored by Reinette Chatre's avatar Reinette Chatre Committed by John W. Linville

ipw2200: prevent alloc of unspecified size on stack

if log_len is larger than 4K then we are killing the stack.
allocate on heap instead and limit size to what practically can
be used (PAGE_SIZE)
Signed-off-by: default avatarReinette Chatre <reinette.chatre@intel.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent b24d22b1
...@@ -1233,9 +1233,19 @@ static ssize_t show_event_log(struct device *d, ...@@ -1233,9 +1233,19 @@ static ssize_t show_event_log(struct device *d,
{ {
struct ipw_priv *priv = dev_get_drvdata(d); struct ipw_priv *priv = dev_get_drvdata(d);
u32 log_len = ipw_get_event_log_len(priv); u32 log_len = ipw_get_event_log_len(priv);
struct ipw_event log[log_len]; u32 log_size;
struct ipw_event *log;
u32 len = 0, i; u32 len = 0, i;
/* not using min() because of its strict type checking */
log_size = PAGE_SIZE / sizeof(*log) > log_len ?
sizeof(*log) * log_len : PAGE_SIZE;
log = kzalloc(log_size, GFP_KERNEL);
if (!log) {
IPW_ERROR("Unable to allocate memory for log\n");
return 0;
}
log_len = log_size / sizeof(*log);
ipw_capture_event_log(priv, log_len, log); ipw_capture_event_log(priv, log_len, log);
len += snprintf(buf + len, PAGE_SIZE - len, "%08X", log_len); len += snprintf(buf + len, PAGE_SIZE - len, "%08X", log_len);
...@@ -1244,6 +1254,7 @@ static ssize_t show_event_log(struct device *d, ...@@ -1244,6 +1254,7 @@ static ssize_t show_event_log(struct device *d,
"\n%08X%08X%08X", "\n%08X%08X%08X",
log[i].time, log[i].event, log[i].data); log[i].time, log[i].event, log[i].data);
len += snprintf(buf + len, PAGE_SIZE - len, "\n"); len += snprintf(buf + len, PAGE_SIZE - len, "\n");
kfree(log);
return len; return len;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment