From: Young Xiao <YangX92@xxxxxxxxxxx>
In routine rtw_report_sec_ie(), the code could set the length
of the buffer to 256; however, that value is one larger than the
corresponding memory allocation.
See commit 8b7a13c3f404 ("staging: r8712u: Fix possible
buffer overrun") for detail.
Signed-off-by: Young Xiao <YangX92@xxxxxxxxxxx>
---
drivers/staging/rtl8723bs/os_dep/mlme_linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
index da4bd52..085026c 100644
--- a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
@@ -165,7 +165,7 @@ void rtw_report_sec_ie(struct adapter *adapter, u8 authmode, u8 *sec_ie)
p += sprintf(p, "ASSOCINFO(ReqIEs =");
len = sec_ie[1] + 2;
- len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
+ len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1;
for (i = 0; i < len; i++) {
p += sprintf(p, "%02x", sec_ie[i]);
--
2.7.4
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
