(Sorry, had a typo in the linux-wireless list address, corrected now).
On Wed, Dec 16, 2009 at 05:12:58AM +0100, Daniel Mack wrote:
>
> The libertas driver copies the SSID buffer back to the wireless core and
> appends a trailing NULL character for termination. This is
>
> a) unnecessary because the buffer is allocated with kzalloc and is hence
> already NULLed when this function is called, and
>
> b) for priv->curbssparams.ssid_len == 32, it writes back one byte too
> much which causes memory corruptions.
>
> Fix this by removing the extra write.
>
> Signed-off-by: Daniel Mack <daniel@xxxxxxxx>
> Cc: Dan Williams <dcbw@xxxxxxxxxx>
> Cc: Holger Schurig <holgerschurig@xxxxxxxxx>
> Cc: John W. Linville <linville@xxxxxxxxxxxxx>
> Cc: Stephen Hemminger <shemminger@xxxxxxxxxx>
> Cc: Maithili Hinge <maithili@xxxxxxxxxxx>
> Cc: Kiran Divekar <dkiran@xxxxxxxxxxx>
> Cc: Michael Hirsch <m.hirsch@xxxxxxxxxxxx>
> Cc: netdev@xxxxxxxxxxxxxxx
> Cc: libertas-dev@xxxxxxxxxxxxxxxxxxx
> Cc: linux-wireless@xxxxxxxxxxxxxxxxxxx
> Cc: stable@xxxxxxxxxx
> ---
> drivers/net/wireless/libertas/wext.c | 2 --
> 1 files changed, 0 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/libertas/wext.c b/drivers/net/wireless/libertas/wext.c
> index be837a0..01c738b 100644
> --- a/drivers/net/wireless/libertas/wext.c
> +++ b/drivers/net/wireless/libertas/wext.c
> @@ -1953,10 +1953,8 @@ static int lbs_get_essid(struct net_device *dev, struct iw_request_info *info,
> if (priv->connect_status == LBS_CONNECTED) {
> memcpy(extra, priv->curbssparams.ssid,
> priv->curbssparams.ssid_len);
> - extra[priv->curbssparams.ssid_len] = '\0';
> } else {
> memset(extra, 0, 32);
> - extra[priv->curbssparams.ssid_len] = '\0';
> }
> /*
> * If none, we may want to get the one that was set
> --
> 1.6.3.3
>
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
