Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b7a13c3 authored by Larry Finger's avatar Larry Finger Committed by Greg Kroah-Hartman
Browse files

staging: r8712u: Fix possible buffer overrun 



In routine r8712_report_sec_ie(), the code could set the length
of the buffer to 256; however, that value is one larger than the
corresponding memory allocation.

Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0df1a84e

drivers/staging/rtl8712/mlme_linux.c

+1 −1
Original line number Diff line number Diff line
@@ -156,7 +156,7 @@ void r8712_report_sec_ie(struct _adapter *adapter, u8 authmode, u8 *sec_ie) 
		p = buff;

		p += sprintf(p, "ASSOCINFO(ReqIEs=");

		len = sec_ie[1] + 2;

		len =  (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;

		len =  (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1;

		for (i = 0; i < len; i++)

			p += sprintf(p, "%02x", sec_ie[i]);

		p += sprintf(p, ")");