Search Linux Wireless

Re: [PATCH 061/119] staging: brcm80211: further renaming in fullmac sources

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 29, 2011 at 04:47:25PM -0700, Franky Lin wrote:
> @@ -1046,7 +1038,7 @@ void brcmf_c_pktfilter_offload_set(dhd_pub_t *dhd, char *arg)
>  
>  	memcpy(arg_save, arg, strlen(arg) + 1);
>  
> -	if (strlen(arg) > BUF_SIZE) {
> +	if (strlen(arg) > PKTFILTER_BUF_SIZE) {

strlen() doesn't include the NULL terminator so probably this test
is off by one.  I didn't actually follow the code through to see
where the buffer overflow happens.  The arg_save buffer is
dynamically allocated to the correct size...  buf was the only
buffer that is PKTFILTER_BUF_SIZE and it stores a different string.

(maybe the test can just be removed?).

This whole function could be cleaned up with regards to string
handling.

For example:
	str = "pkt_filter_add";
	str_len = strlen(str);
	strncpy(buf, str, str_len);
	buf[str_len] = '\0';

could be replaced with:
	strcpy(buf, "pkt_filter_add");

>  		DHD_ERROR(("Not enough buffer %d < %d\n", (int)strlen(arg),
>  			   (int)sizeof(buf)));
>  		goto fail;

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux