| commit | d9b7ad9d124b0d3154bf0fe64ca5425827de498b | |
| author | Daniel Mack <daniel@caiaq.de> | |
| Wed, 16 Dec 2009 04:12:58 +0000 (16 05:12 +0100) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Wed, 6 Jan 2010 23:17:07 +0000 (6 15:17 -0800) | ||
| tree | c71d6077805a180702a7fc80b4e239b4c8226cad | treesnapshot (tar.gz zip) |
| parent | df0f66d3f4bd0ea859b2f4f8438914024b4a411f | commitdiff |
Libertas: fix buffer overflow in lbs_get_essid()
commit 45b241689179a6065384260242637cf21dabfb2d upstream.
The libertas driver copies the SSID buffer back to the wireless core and
appends a trailing NULL character for termination. This is
a) unnecessary because the buffer is allocated with kzalloc and is hence
already NULLed when this function is called, and
b) for priv->curbssparams.ssid_len == 32, it writes back one byte too
much which causes memory corruptions.
Fix this by removing the extra write.
Signed-off-by: Daniel Mack <daniel@caiaq.de>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Cc: Maithili Hinge <maithili@marvell.com>
Cc: Kiran Divekar <dkiran@marvell.com>
Cc: Michael Hirsch <m.hirsch@raumfeld.com>
Cc: netdev@vger.kernel.org
Cc: libertas-dev@lists.infradead.org
Cc: linux-wireless@lists.infradead.org
Acked-by: Holger Schurig <holgerschurig@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 45b241689179a6065384260242637cf21dabfb2d upstream.
The libertas driver copies the SSID buffer back to the wireless core and
appends a trailing NULL character for termination. This is
a) unnecessary because the buffer is allocated with kzalloc and is hence
already NULLed when this function is called, and
b) for priv->curbssparams.ssid_len == 32, it writes back one byte too
much which causes memory corruptions.
Fix this by removing the extra write.
Signed-off-by: Daniel Mack <daniel@caiaq.de>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Cc: Maithili Hinge <maithili@marvell.com>
Cc: Kiran Divekar <dkiran@marvell.com>
Cc: Michael Hirsch <m.hirsch@raumfeld.com>
Cc: netdev@vger.kernel.org
Cc: libertas-dev@lists.infradead.org
Cc: linux-wireless@lists.infradead.org
Acked-by: Holger Schurig <holgerschurig@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| drivers/net/wireless/libertas/wext.c | diffblobblamehistory |