From patchwork Thu Mar 10 15:23:26 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 86299 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 8BCA0B6F8F for ; Fri, 11 Mar 2011 02:29:28 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752976Ab1CJP3X (ORCPT ); Thu, 10 Mar 2011 10:29:23 -0500 Received: from mail-bw0-f46.google.com ([209.85.214.46]:63924 "EHLO mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752220Ab1CJP3V (ORCPT ); Thu, 10 Mar 2011 10:29:21 -0500 Received: by bwz15 with SMTP id 15so1892280bwz.19 for ; Thu, 10 Mar 2011 07:29:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:date:from:to:cc:subject:message-id:mime-version :content-type:content-disposition:user-agent; bh=w2FYBaOKqrN6gOHodMg9C7unKVaVNYCCli6+Aj97APY=; b=e55xB6dLkeKFGMJTGvJnz8sX7KW0kao2l8rWlSjszXZClseQjGfTHAnifKwqSGmZzx Qst3jqsZgrnmgMhVbJrTZaLsXS1xZSMCM7r/UXzOt85j+mnSJlhJ8IO98S5lezqnsNtr 33bVXRlDlArwFp46mb5L8UQmdZ6IV7z8B6bU8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=rl1V+GK/K9mbJ2VTMwB4Xp8mlohgsWg3OmQMG8CknCKgkHwYLpulL2sOgQP50lU9UG ElQCRW0IHb3t/rqYK096IBnVhmc1v/2zcqTzmCnusQ9W8+ZqfYF6gc2Z22mkF++lK87h nbD30+Ns31/pDkeoOsjJid/xp8lqkawahEZcw= Received: by 10.223.73.133 with SMTP id q5mr1011847faj.127.1299770960158; Thu, 10 Mar 2011 07:29:20 -0800 (PST) Received: from bicker ([212.49.88.34]) by mx.google.com with ESMTPS id n26sm1426311fam.37.2011.03.10.07.29.09 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 10 Mar 2011 07:29:18 -0800 (PST) Date: Thu, 10 Mar 2011 18:23:26 +0300 From: Dan Carpenter To: Dan Williams , javier@cozybit.com Cc: "John W. Linville" , libertas-dev@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] libertas: fix write past end of array in mesh_id_get() Message-ID: <20110310152326.GA2008@bicker> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org defs.meshie.val.mesh_id is 32 chars long. It's not supposed to be NUL terminated. This code puts a terminator on the end to make it easier to print to sysfs. The problem is that if the mesh_id fills the entire buffer the original code puts the terminator one spot past the end. The way the original code was written, there was a check to make sure that maxlen was less than PAGE_SIZE. Since we know that maxlen is at most 34 chars, I just removed the check. Signed-off-by: Dan Carpenter Acked-by: Dan Williams --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/wireless/libertas/mesh.c b/drivers/net/wireless/libertas/mesh.c index acf3bf6..9d097b9 100644 --- a/drivers/net/wireless/libertas/mesh.c +++ b/drivers/net/wireless/libertas/mesh.c @@ -918,7 +918,6 @@ static ssize_t mesh_id_get(struct device *dev, struct device_attribute *attr, char *buf) { struct mrvl_mesh_defaults defs; - int maxlen; int ret; ret = mesh_get_default_parameters(dev, &defs); @@ -931,13 +930,11 @@ static ssize_t mesh_id_get(struct device *dev, struct device_attribute *attr, defs.meshie.val.mesh_id_len = IEEE80211_MAX_SSID_LEN; } - /* SSID not null terminated: reserve room for \0 + \n */ - maxlen = defs.meshie.val.mesh_id_len + 2; - maxlen = (PAGE_SIZE > maxlen) ? maxlen : PAGE_SIZE; + memcpy(buf, defs.meshie.val.mesh_id, defs.meshie.val.mesh_id_len); + buf[defs.meshie.val.mesh_id_len] = '\n'; + buf[defs.meshie.val.mesh_id_len + 1] = '\0'; - defs.meshie.val.mesh_id[defs.meshie.val.mesh_id_len] = '\0'; - - return snprintf(buf, maxlen, "%s\n", defs.meshie.val.mesh_id); + return defs.meshie.val.mesh_id_len + 1; } /**