ipw2200: prevent alloc of unspecified size on stack
authorReinette Chatre <reinette.chatre@intel.com>
Wed, 19 Dec 2007 06:01:02 +0000 (22:01 -0800)
committerJohn W. Linville <linville@tuxdriver.com>
Thu, 20 Dec 2007 02:31:01 +0000 (21:31 -0500)
if log_len is larger than 4K then we are killing the stack.
allocate on heap instead and limit size to what practically can
be used (PAGE_SIZE)

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/ipw2200.c

index 54f44e5..38ce8ee 100644 (file)
@@ -1233,9 +1233,19 @@ static ssize_t show_event_log(struct device *d,
 {
        struct ipw_priv *priv = dev_get_drvdata(d);
        u32 log_len = ipw_get_event_log_len(priv);
-       struct ipw_event log[log_len];
+       u32 log_size;
+       struct ipw_event *log;
        u32 len = 0, i;
 
+       /* not using min() because of its strict type checking */
+       log_size = PAGE_SIZE / sizeof(*log) > log_len ?
+                       sizeof(*log) * log_len : PAGE_SIZE;
+       log = kzalloc(log_size, GFP_KERNEL);
+       if (!log) {
+               IPW_ERROR("Unable to allocate memory for log\n");
+               return 0;
+       }
+       log_len = log_size / sizeof(*log);
        ipw_capture_event_log(priv, log_len, log);
 
        len += snprintf(buf + len, PAGE_SIZE - len, "%08X", log_len);
@@ -1244,6 +1254,7 @@ static ssize_t show_event_log(struct device *d,
                                "\n%08X%08X%08X",
                                log[i].time, log[i].event, log[i].data);
        len += snprintf(buf + len, PAGE_SIZE - len, "\n");
+       kfree(log);
        return len;
 }