- 论坛徽章:
- 0
|
- linux-2.6.18.3/net/ieee80211/ieee80211_wx.c
- int ieee80211_wx_set_encode(struct ieee80211_device *ieee,
- struct iw_request_info *info,
- union iwreq_data *wrqu, char *keybuf)
- {
- .......
- /* If a new key was provided, set it up */
- if (erq->length > 0) {
- len = erq->length <= 5 ? 5 : 13;
- //overflow if erq->length > sizeof(sec.keys[key]) #####
- memcpy(sec.keys[key], keybuf, erq->length);
- if (len > erq->length)
- memset(sec.keys[key] + erq->length, 0, len - erq->length);
- //leakage of key info #####
- IEEE80211_DEBUG_WX("Setting key %d to '%s' (%d:%d bytes)\n",
- key, escape_essid(sec.keys[key], len),
- erq->length, len);
- .......
- }
复制代码
[ 本帖最后由 sisi8408 于 2007-1-31 16:34 编辑 ] |
|