On Fri, Feb 07, 2014 at 11:46:26AM +0100, walter harms wrote:
>
>
> Am 03.02.2014 23:38, schrieb Dan Carpenter:
> > The go_devadd_str[] array is two characters too small to hold the
> > address so we corrupt memory.
> >
> > I've changed the user space API slightly and I don't have a way to test
> > if this breaks anything. In the original code we truncated away the
> > last digit of the address and the NUL terminator so it was already a bit
> > broken.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> >
> > diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > index dec992569476..4ad80ae1067f 100644
> > --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> > u8 *p2pie;
> > uint p2pielen = 0, attr_contentlen = 0;
> > u8 attr_content[100] = {0x00};
> > -
> > - u8 go_devadd_str[17 + 10] = {0x00};
> > - /* +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
> > + u8 go_devadd_str[17 + 12] = {};
>
>
> you are deleting the explanation for the magic numbers here,
> - intentionally ?
>
Yes. The old explanation was misleading because the string is
"\n\ndev_add =" and not "go_devadd =". The buffer is only used in one
location so the size is obvious and there is no need for a comment.
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
