[PATCH 326/961] Staging: rtl8712: fix math errors in snprintf()

Greg Kroah-Hartman <gregkh@xxxxxxx> · Wed, 16 Mar 2011 13:59:29 -0700

From: Dan Carpenter <error27@xxxxxxxxx>

The original code had calls to snprintf(p, 7, "wpa_ie=") but that string
is 8 characters (because snprintf() puts a NUL terminator on the end).
So instead of an '=' the what gets written to buf is a NUL terminator
followed by the rest of the string.

And actually the %02x formats are three chars as well when you include
the terminator.

Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
 drivers/staging/rtl8712/rtl871x_ioctl_linux.c |   22 +++++++++++++---------
 1 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index 0d288c1..221be81 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -281,18 +281,20 @@ static inline char *translate_scan(struct _adapter *padapter,
 	/* parsing WPA/WPA2 IE */
 	{
 		u16 wpa_len = 0, rsn_len = 0;
-		u8 *p;
+		int n;
 		sint out_len = 0;
 		out_len = r8712_get_sec_ie(pnetwork->network.IEs,
 					   pnetwork->network.
 					   IELength, rsn_ie, &rsn_len,
 					   wpa_ie, &wpa_len);
 		if (wpa_len > 0) {
-			p = buf;
 			memset(buf, 0, MAX_WPA_IE_LEN);
-			p += snprintf(p, 7, "wpa_ie=");
-			for (i = 0; i < wpa_len; i++)
-				p += snprintf(p, 2, "%02x", wpa_ie[i]);
+			n = sprintf(buf, "wpa_ie=");
+			for (i = 0; i < wpa_len; i++) {
+				n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", wpa_ie[i]);
+				if (n >= MAX_WPA_IE_LEN)
+					break;
+			}
 			memset(&iwe, 0, sizeof(iwe));
 			iwe.cmd = IWEVCUSTOM;
 			iwe.u.data.length = (u16)strlen(buf);
@@ -305,11 +307,13 @@ static inline char *translate_scan(struct _adapter *padapter,
 				&iwe, wpa_ie);
 		}
 		if (rsn_len > 0) {
-			p = buf;
 			memset(buf, 0, MAX_WPA_IE_LEN);
-			p += snprintf(p, 7, "rsn_ie=");
-			for (i = 0; i < rsn_len; i++)
-				p += snprintf(p, 2, "%02x", rsn_ie[i]);
+			n = sprintf(buf, "rsn_ie=");
+			for (i = 0; i < rsn_len; i++) {
+				n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", rsn_ie[i]);
+				if (n >= MAX_WPA_IE_LEN)
+					break;
+			}
 			memset(&iwe, 0, sizeof(iwe));
 			iwe.cmd = IWEVCUSTOM;
 			iwe.u.data.length = strlen(buf);
-- 
1.7.4.1

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel





