On Fri, Aug 27, 2010 at 03:35:19PM -0700, Luis R. Rodriguez wrote:

quoted

diff -u -p wext.j2.c wext.c

--- wext.j2.c   2010-08-27 14:17:26.000000000 -0700
+++ wext.c      2010-08-27 14:19:33.000000000 -0700

@@ -800,9 +800,12 @@ static int ioctl_standard_iw_point(struc
                       goto out;
               }

-               if (copy_to_user(iwp->pointer, extra,
-                                iwp->length *
-                                descr->token_size)) {
+               /* Verify how much we should return. Some driver
+                * may abuse iwp->length... */
+               if((iwp->length * descr->token_size) < extra_size)
+                       extra_size = iwp->length * descr->token_size;
+
+               if (copy_to_user(iwp->pointer, extra, extra_size)) {
                       err = -EFAULT;
                       goto out;
               }

Jean, can you submit in a new thread and right before the SOB add in
the commit log Cc: stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org [2.6.32+]

	The current patch was made for 2.6.27 and was only
compiled. Someone would need to verify it works for 2.6.32. I could
probably find some time next week.

  Luis

	Regards,

	Jean
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html