hi all,

in drivers/net/wireless/mwifiex/sta_ioctl.c the following functions

	mwifiex_set_wpa_ie_helper
	mwifiex_set_wapi_ie
	mwifiex_set_wps_ie

can truncate the incoming ie_len argument from u16 to u8 when it gets
stored in mwifiex_private.wpa_ie_len, mwifiex_private.wapi_ie_len and
mwifiex_private.wps_ie_len, respectively. based on some light code
reading it seems a length value of 256 is valid (IEEE_MAX_IE_SIZE and
MWIFIEX_MAX_VSIE_LEN seem to limit it) and thus would get truncated
to 0 when stored in those u8 fields. the question is whether this is
intentional or a bug somewhere.

FTR, this issue was detected with the upcoming version of the size overflow
plugin we have in PaX/grsecurity and there're a handful of similar cases in
the tree where potentially unwanted or unnecessary integer truncations occur,
this being one of these. any opinion/help is welcome!

cheers,
  PaX Team