From 8b7a13c3f404cbd26b495fa9c34339cb9b7b8164 Mon Sep 17 00:00:00 2001 From: Larry Finger Date: Tue, 27 Nov 2012 12:08:44 -0600 Subject: [PATCH] staging: r8712u: Fix possible buffer overrun In routine r8712_report_sec_ie(), the code could set the length of the buffer to 256; however, that value is one larger than the corresponding memory allocation. Signed-off-by: Larry Finger Reported-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8712/mlme_linux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8712/mlme_linux.c b/drivers/staging/rtl8712/mlme_linux.c index abf96c14df93..7279854c86aa 100644 --- a/drivers/staging/rtl8712/mlme_linux.c +++ b/drivers/staging/rtl8712/mlme_linux.c @@ -156,7 +156,7 @@ void r8712_report_sec_ie(struct _adapter *adapter, u8 authmode, u8 *sec_ie) p = buff; p += sprintf(p, "ASSOCINFO(ReqIEs="); len = sec_ie[1] + 2; - len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX; + len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1; for (i = 0; i < len; i++) p += sprintf(p, "%02x", sec_ie[i]); p += sprintf(p, ")"); -- GitLab