Am 03.02.2014 23:38, schrieb Dan Carpenter:
> The go_devadd_str[] array is two characters too small to hold the
> address so we corrupt memory.
>
> I've changed the user space API slightly and I don't have a way to test
> if this breaks anything. In the original code we truncated away the
> last digit of the address and the NUL terminator so it was already a bit
> broken.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>
> diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> index dec992569476..4ad80ae1067f 100644
> --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> u8 *p2pie;
> uint p2pielen = 0, attr_contentlen = 0;
> u8 attr_content[100] = {0x00};
> -
> - u8 go_devadd_str[17 + 10] = {0x00};
> - /* +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
> + u8 go_devadd_str[17 + 12] = {};
you are deleting the explanation for the magic numbers here,
- intentionally ?
NTL, it would be nice to have a full explanation like
10= space for "go_devadd ="
17= space for attr_content %.2X:%.2X:%.2X:%.2X:%.2X:%.2X
re,
wh
> /* Commented by Albert 20121209 */
> /* The input data is the GO's interface address which the application wants to know its device address. */
> @@ -3223,12 +3221,12 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> spin_unlock_bh(&pmlmepriv->scanned_queue.lock);
>
> if (!blnMatch)
> - sprintf(go_devadd_str, "\n\ndev_add = NULL");
> + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add = NULL");
> else
> - sprintf(go_devadd_str, "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> attr_content[0], attr_content[1], attr_content[2], attr_content[3], attr_content[4], attr_content[5]);
>
> - if (copy_to_user(wrqu->data.pointer, go_devadd_str, 10 + 17))
> + if (copy_to_user(wrqu->data.pointer, go_devadd_str, sizeof(go_devadd_str)))
> return -EFAULT;
> return ret;
> }
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
