Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d936435f authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

Staging: rtl8712: fix math errors in snprintf() 



The original code had calls to snprintf(p, 7, "wpa_ie=") but that string
is 8 characters (because snprintf() puts a NUL terminator on the end).
So instead of an '=' the what gets written to buf is a NUL terminator
followed by the rest of the string.

And actually the %02x formats are three chars as well when you include
the terminator.

Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent ec42dc2c

drivers/staging/rtl8712/rtl871x_ioctl_linux.c

+13 −9
Original line number Diff line number Diff line
@@ -281,18 +281,20 @@ static inline char *translate_scan(struct _adapter *padapter, 
	/* parsing WPA/WPA2 IE */

	{

		u16 wpa_len = 0, rsn_len = 0;

		u8 *p;

		int n;

		sint out_len = 0;

		out_len = r8712_get_sec_ie(pnetwork->network.IEs,

					   pnetwork->network.

					   IELength, rsn_ie, &rsn_len,

					   wpa_ie, &wpa_len);

		if (wpa_len > 0) {

			p = buf;

			memset(buf, 0, MAX_WPA_IE_LEN);

			p += snprintf(p, 7, "wpa_ie=");

			for (i = 0; i < wpa_len; i++)

				p += snprintf(p, 2, "%02x", wpa_ie[i]);

			n = sprintf(buf, "wpa_ie=");

			for (i = 0; i < wpa_len; i++) {

				n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", wpa_ie[i]);

				if (n >= MAX_WPA_IE_LEN)

					break;

			}

			memset(&iwe, 0, sizeof(iwe));

			iwe.cmd = IWEVCUSTOM;

			iwe.u.data.length = (u16)strlen(buf);
@@ -305,11 +307,13 @@ static inline char *translate_scan(struct _adapter *padapter, 
				&iwe, wpa_ie);

		}

		if (rsn_len > 0) {

			p = buf;

			memset(buf, 0, MAX_WPA_IE_LEN);

			p += snprintf(p, 7, "rsn_ie=");

			for (i = 0; i < rsn_len; i++)

				p += snprintf(p, 2, "%02x", rsn_ie[i]);

			n = sprintf(buf, "rsn_ie=");

			for (i = 0; i < rsn_len; i++) {

				n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", rsn_ie[i]);

				if (n >= MAX_WPA_IE_LEN)

					break;

			}

			memset(&iwe, 0, sizeof(iwe));

			iwe.cmd = IWEVCUSTOM;

			iwe.u.data.length = strlen(buf);