eeprom_93cx6_multiread() expects the last argument to be the buffer length in words, but kzalloc() expects the length in bytes. This results in dangerous kernel memory corruption. Since there are already occurrences of "EEPROM_SIZE * sizeof(u16)" in the driver, I'm assuming that EEPROM_SIZE is in words, so the driver needs to allocate more memory. Signed-off-by: Pavel Roskin <proski@xxxxxxx>
ACK, this fix has been in CVS already, but I hadn't send the patch yet. Ivo - To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
