| From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Mon, 21 Sep 2015 19:19:53 +0300 |
| Subject: mwifiex: fix mwifiex_rdeeprom_read() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream. |
| |
| There were several bugs here. |
| |
| 1) The done label was in the wrong place so we didn't copy any |
| information out when there was no command given. |
| |
| 2) We were using PAGE_SIZE as the size of the buffer instead of |
| "PAGE_SIZE - pos". |
| |
| 3) snprintf() returns the number of characters that would have been |
| printed if there were enough space. If there was not enough space |
| (and we had fixed the memory corruption bug #2) then it would result |
| in an information leak when we do simple_read_from_buffer(). I've |
| changed it to use scnprintf() instead. |
| |
| I also removed the initialization at the start of the function, because |
| I thought it made the code a little more clear. |
| |
| Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver') |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Amitkumar Karwar <akarwar@marvell.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/net/wireless/mwifiex/debugfs.c | 14 +++++++------- |
| 1 file changed, 7 insertions(+), 7 deletions(-) |
| |
| --- a/drivers/net/wireless/mwifiex/debugfs.c |
| +++ b/drivers/net/wireless/mwifiex/debugfs.c |
| @@ -593,7 +593,7 @@ mwifiex_rdeeprom_read(struct file *file, |
| (struct mwifiex_private *) file->private_data; |
| unsigned long addr = get_zeroed_page(GFP_KERNEL); |
| char *buf = (char *) addr; |
| - int pos = 0, ret = 0, i; |
| + int pos, ret, i; |
| u8 value[MAX_EEPROM_DATA]; |
| |
| if (!buf) |
| @@ -601,7 +601,7 @@ mwifiex_rdeeprom_read(struct file *file, |
| |
| if (saved_offset == -1) { |
| /* No command has been given */ |
| - pos += snprintf(buf, PAGE_SIZE, "0"); |
| + pos = snprintf(buf, PAGE_SIZE, "0"); |
| goto done; |
| } |
| |
| @@ -610,17 +610,17 @@ mwifiex_rdeeprom_read(struct file *file, |
| (u16) saved_bytes, value); |
| if (ret) { |
| ret = -EINVAL; |
| - goto done; |
| + goto out_free; |
| } |
| |
| - pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); |
| + pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); |
| |
| for (i = 0; i < saved_bytes; i++) |
| - pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]); |
| - |
| - ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); |
| + pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]); |
| |
| done: |
| + ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); |
| +out_free: |
| free_page(addr); |
| return ret; |
| } |