[patch] otus: off by one in usbdrvwext_siwessid()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A 33 char ESSID is too long and it could cause a buffer overflow
a couple lines below when we put a NULL terminator on the end.

Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>

--- orig/drivers/staging/otus/ioctl.c	2009-12-28 09:42:55.000000000 +0200
+++ devel/drivers/staging/otus/ioctl.c	2009-12-28 09:43:48.000000000 +0200
@@ -930,7 +930,7 @@ int usbdrvwext_siwessid(struct net_devic
 		return -EINVAL;
 
 	if (essid->flags == 1) {
-		if (essid->length > (IW_ESSID_MAX_SIZE + 1))
+		if (essid->length > IW_ESSID_MAX_SIZE)
 			return -E2BIG;
 
 		if (copy_from_user(&EssidBuf, essid->pointer, essid->length))
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux