aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorReinette Chatre <reinette.chatre@intel.com>2007-12-18 22:01:02 -0800
committerJohn W. Linville <linville@tuxdriver.com>2007-12-19 21:31:01 -0500
commit412e9e7800360ec93b6ba319b30666f6bfc721bd (patch)
tree03f8c45a68c123f8a290c567f07f12d500472ea5 /drivers
parentb24d22b1d12c436a86282347868785207cff8a88 (diff)
downloadkernel_samsung_smdk4412-412e9e7800360ec93b6ba319b30666f6bfc721bd.tar.gz
kernel_samsung_smdk4412-412e9e7800360ec93b6ba319b30666f6bfc721bd.tar.bz2
kernel_samsung_smdk4412-412e9e7800360ec93b6ba319b30666f6bfc721bd.zip
ipw2200: prevent alloc of unspecified size on stack
if log_len is larger than 4K then we are killing the stack. allocate on heap instead and limit size to what practically can be used (PAGE_SIZE) Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/ipw2200.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/drivers/net/wireless/ipw2200.c b/drivers/net/wireless/ipw2200.c
index 54f44e5473c..38ce8ee8d6f 100644
--- a/drivers/net/wireless/ipw2200.c
+++ b/drivers/net/wireless/ipw2200.c
@@ -1233,9 +1233,19 @@ static ssize_t show_event_log(struct device *d,
{
struct ipw_priv *priv = dev_get_drvdata(d);
u32 log_len = ipw_get_event_log_len(priv);
- struct ipw_event log[log_len];
+ u32 log_size;
+ struct ipw_event *log;
u32 len = 0, i;
+ /* not using min() because of its strict type checking */
+ log_size = PAGE_SIZE / sizeof(*log) > log_len ?
+ sizeof(*log) * log_len : PAGE_SIZE;
+ log = kzalloc(log_size, GFP_KERNEL);
+ if (!log) {
+ IPW_ERROR("Unable to allocate memory for log\n");
+ return 0;
+ }
+ log_len = log_size / sizeof(*log);
ipw_capture_event_log(priv, log_len, log);
len += snprintf(buf + len, PAGE_SIZE - len, "%08X", log_len);
@@ -1244,6 +1254,7 @@ static ssize_t show_event_log(struct device *d,
"\n%08X%08X%08X",
log[i].time, log[i].event, log[i].data);
len += snprintf(buf + len, PAGE_SIZE - len, "\n");
+ kfree(log);
return len;
}