On Wed, 2009-12-16 at 11:58 +0800, Daniel Mack wrote: > > If this is used in a GET, then it will be filled up to 32 bytes by the > > get handler, and the trailing \0 your patch reserves will never be > > copied into userspace. > > The problem is the GET case. The libertas driver copies ssid_len > characters here and appends a trailing \0, which my patch caught now and > which caused memory corruption in before. > > From what I've seen, libertas _does_ treat the extra data correctly > at all places, I checked it several times now. (Btw, the %s format > string you pointed out all use print_ssid() to properly escape all > non-printable characters, so they're rules out, too). Oh, ok, print_ssid() is correct of course, it gets the length. > I'll send a patch to fix the flaw in libertas. Thanks. johannes
Attachment:
signature.asc
Description: This is a digitally signed message part
