[PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write

"John W. Linville" <linville@xxxxxxxxxxxxx> · Fri, 7 Nov 2008 15:26:59 -0500

This addresses the bug report here:

	http://bugzilla.kernel.org/show_bug.cgi?id=11975

Reported-by: Daniel Marjamäki <danielm77@xxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxx
Signed-off-by: John W. Linville <linville@xxxxxxxxxxxxx>
---
 net/mac80211/debugfs_sta.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 189d0ba..2e6752a 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -184,7 +184,6 @@ static ssize_t sta_agg_status_write(struct file *file,
 	char buf[32];
 	int buf_size, rs;
 	unsigned int tid_num;
-	char state[4];
 
 	memset(buf, 0x00, sizeof(buf));
 	buf_size = min(count, (sizeof(buf)-1));
@@ -199,35 +198,31 @@ static ssize_t sta_agg_status_write(struct file *file,
 		/* toggle Rx aggregation command */
 		tid_num = tid_num - 100;
 		if (tid_static_rx[tid_num] == 1) {
-			strcpy(state, "off ");
 			ieee80211_sta_stop_rx_ba_session(sta->sdata, da, tid_num, 0,
 					WLAN_REASON_QSTA_REQUIRE_SETUP);
 			sta->ampdu_mlme.tid_state_rx[tid_num] |=
 					HT_AGG_STATE_DEBUGFS_CTL;
 			tid_static_rx[tid_num] = 0;
 		} else {
-			strcpy(state, "on ");
 			sta->ampdu_mlme.tid_state_rx[tid_num] &=
 					~HT_AGG_STATE_DEBUGFS_CTL;
 			tid_static_rx[tid_num] = 1;
 		}
 		printk(KERN_DEBUG "debugfs - try switching tid %u %s\n",
-				tid_num, state);
+				tid_num, tid_static_rx[tid_num] ? "on" : "off");
 	} else if ((tid_num >= 0) && (tid_num <= 15)) {
 		/* toggle Tx aggregation command */
 		if (tid_static_tx[tid_num] == 0) {
-			strcpy(state, "on ");
 			rs =  ieee80211_start_tx_ba_session(hw, da, tid_num);
 			if (rs == 0)
 				tid_static_tx[tid_num] = 1;
 		} else {
-			strcpy(state, "off");
 			rs =  ieee80211_stop_tx_ba_session(hw, da, tid_num, 1);
 			if (rs == 0)
 				tid_static_tx[tid_num] = 0;
 		}
 		printk(KERN_DEBUG "debugfs - switching tid %u %s, return=%d\n",
-				tid_num, state, rs);
+				tid_num, tid_static_tx[tid_num] ? "on" : "off", rs);
 	}
 
 	return count;
-- 
1.5.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




