Dan Carpenter <dan.carpenter@xxxxxxxxxx> writes: > Hello Larry, Jes, > > The rtw_report_sec_ie23a() is very buggy. > > 1) It uses GFP_KERNEL but the callers are holding a spinlock. > > rtw_select_and_join_from_scanned_queue23a() <- takes lock > -> rtw_joinbss_cmd23a() > -> rtw_restruct_sec_ie23a() > -> rtw_report_sec_ie23a() > > 2) The sprintf() can overflow because we're putting over 512 characters > into a IW_CUSTOM_MAX (256) character buffer. > > 3) It could actually be far worse than 512. It could be a forever > loop! :P The "i" variable is declared as u8 so it will always be > less than IW_CUSTOM_MAX (256). > > 4) What is the point of this function? It doesn't seem to store "buff" > anywhere or do anything with "wrqu". Dan, I fixed it by ripping out the whole function, since it wasn't doing anything at all. Cheers, Jes _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
