Am 03.02.2014 23:38, schrieb Dan Carpenter: > The go_devadd_str[] array is two characters too small to hold the > address so we corrupt memory. > > I've changed the user space API slightly and I don't have a way to test > if this breaks anything. In the original code we truncated away the > last digit of the address and the NUL terminator so it was already a bit > broken. > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c > index dec992569476..4ad80ae1067f 100644 > --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c > +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c > @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev, > u8 *p2pie; > uint p2pielen = 0, attr_contentlen = 0; > u8 attr_content[100] = {0x00}; > - > - u8 go_devadd_str[17 + 10] = {0x00}; > - /* +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */ > + u8 go_devadd_str[17 + 12] = {}; you are deleting the explanation for the magic numbers here, - intentionally ? NTL, it would be nice to have a full explanation like 10= space for "go_devadd =" 17= space for attr_content %.2X:%.2X:%.2X:%.2X:%.2X:%.2X re, wh > /* Commented by Albert 20121209 */ > /* The input data is the GO's interface address which the application wants to know its device address. */ > @@ -3223,12 +3221,12 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev, > spin_unlock_bh(&pmlmepriv->scanned_queue.lock); > > if (!blnMatch) > - sprintf(go_devadd_str, "\n\ndev_add = NULL"); > + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add = NULL"); > else > - sprintf(go_devadd_str, "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X", > + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X", > attr_content[0], attr_content[1], attr_content[2], attr_content[3], attr_content[4], attr_content[5]); > > - if (copy_to_user(wrqu->data.pointer, go_devadd_str, 10 + 17)) > + if (copy_to_user(wrqu->data.pointer, go_devadd_str, sizeof(go_devadd_str))) > return -EFAULT; > return ret; > } > -- > To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html