| From 45b241689179a6065384260242637cf21dabfb2d Mon Sep 17 00:00:00 2001 |
| From: Daniel Mack <daniel@caiaq.de> |
| Date: Wed, 16 Dec 2009 05:12:58 +0100 |
| Subject: Libertas: fix buffer overflow in lbs_get_essid() |
| |
| From: Daniel Mack <daniel@caiaq.de> |
| |
| commit 45b241689179a6065384260242637cf21dabfb2d upstream. |
| |
| The libertas driver copies the SSID buffer back to the wireless core and |
| appends a trailing NULL character for termination. This is |
| |
| a) unnecessary because the buffer is allocated with kzalloc and is hence |
| already NULLed when this function is called, and |
| |
| b) for priv->curbssparams.ssid_len == 32, it writes back one byte too |
| much which causes memory corruptions. |
| |
| Fix this by removing the extra write. |
| |
| Signed-off-by: Daniel Mack <daniel@caiaq.de> |
| Cc: Stephen Hemminger <shemminger@vyatta.com> |
| Cc: Maithili Hinge <maithili@marvell.com> |
| Cc: Kiran Divekar <dkiran@marvell.com> |
| Cc: Michael Hirsch <m.hirsch@raumfeld.com> |
| Cc: netdev@vger.kernel.org |
| Cc: libertas-dev@lists.infradead.org |
| Cc: linux-wireless@lists.infradead.org |
| Acked-by: Holger Schurig <holgerschurig@gmail.com> |
| Acked-by: Dan Williams <dcbw@redhat.com> |
| Signed-off-by: John W. Linville <linville@tuxdriver.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/net/wireless/libertas/wext.c | 2 -- |
| 1 file changed, 2 deletions(-) |
| |
| --- a/drivers/net/wireless/libertas/wext.c |
| +++ b/drivers/net/wireless/libertas/wext.c |
| @@ -1951,10 +1951,8 @@ static int lbs_get_essid(struct net_devi |
| if (priv->connect_status == LBS_CONNECTED) { |
| memcpy(extra, priv->curbssparams.ssid, |
| priv->curbssparams.ssid_len); |
| - extra[priv->curbssparams.ssid_len] = '\0'; |
| } else { |
| memset(extra, 0, 32); |
| - extra[priv->curbssparams.ssid_len] = '\0'; |
| } |
| /* |
| * If none, we may want to get the one that was set |