On Wed, Jun 29, 2011 at 04:47:25PM -0700, Franky Lin wrote:
> @@ -1046,7 +1038,7 @@ void brcmf_c_pktfilter_offload_set(dhd_pub_t *dhd, char *arg)
>
> memcpy(arg_save, arg, strlen(arg) + 1);
>
> - if (strlen(arg) > BUF_SIZE) {
> + if (strlen(arg) > PKTFILTER_BUF_SIZE) {
strlen() doesn't include the NULL terminator so probably this test
is off by one. I didn't actually follow the code through to see
where the buffer overflow happens. The arg_save buffer is
dynamically allocated to the correct size... buf was the only
buffer that is PKTFILTER_BUF_SIZE and it stores a different string.
(maybe the test can just be removed?).
This whole function could be cleaned up with regards to string
handling.
For example:
str = "pkt_filter_add";
str_len = strlen(str);
strncpy(buf, str, str_len);
buf[str_len] = '\0';
could be replaced with:
strcpy(buf, "pkt_filter_add");
> DHD_ERROR(("Not enough buffer %d < %d\n", (int)strlen(arg),
> (int)sizeof(buf)));
> goto fail;
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
