On Mon, 2011-06-06 at 22:30 +0300, Luciano Coelho wrote: > In both trigger_scan and sched_scan operations, we were checking for > the SSID length before assigning the value correctly. Since the > memory was just kzalloc'ed, the check was always failing and SSID with > over 32 characters were allowed to go through. > > This was causing a buffer overflow when copying the actual SSID to the > proper place. > > This bug has been there since 2.6.29-rc4. > > Backported from commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03. > > Cc: stable@xxxxxxxxxx > Signed-off-by: Luciano Coelho <coelho@xxxxxx> > Signed-off-by: John W. Linville <linville@xxxxxxxxxxxxx> > --- FWIW, this patch applies cleanly on all stable kernels at least as far back as 2.6.35, probably even earlier. -- Cheers, Luca. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html