@@ -738,26 +738,23 @@ static int ioctl_standard_iw_point(struc
/* Save user space buffer size for checking */
user_length = iwp->length;
- /* Don't check if user_length > max to allow forward
- * compatibility. The test user_length < min is
- * implied by the test at the end.
- */
-
/* Support for very large requests */
- if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
- (user_length > descr->max_tokens)) {
+ if (descr->flags & IW_DESCR_FLAG_NOMAX) {
/* Allow userspace to GET more than max so
* we can support any size GET requests.
- * There is still a limit : -ENOMEM.
- */
- extra_size = user_length * descr->token_size;
-
- /* Note : user_length is originally a __u16,
+ * There is still a limit: 64k records of
+ * token_size (since a u16 is used).
+ *
+ * Note: user_length is originally a u16,
* and token_size is controlled by us,
* so extra_size won't get negative and
* won't overflow...
*/
- }
+ if (user_length > descr->max_tokens)
+ extra_size = user_length * descr->token_size;
+ } else
+ user_length = min_t(int, user_length,
+ descr->max_tokens);
}
/* kzalloc() ensures NULL-termination for essid_compat. */