• D
    Libertas: fix buffer overflow in lbs_get_essid() · 45b24168
    Daniel Mack 提交于
    The libertas driver copies the SSID buffer back to the wireless core and
    appends a trailing NULL character for termination. This is
    
    a) unnecessary because the buffer is allocated with kzalloc and is hence
       already NULLed when this function is called, and
    
    b) for priv->curbssparams.ssid_len == 32, it writes back one byte too
       much which causes memory corruptions.
    
    Fix this by removing the extra write.
    Signed-off-by: NDaniel Mack <daniel@caiaq.de>
    Cc: Stephen Hemminger <shemminger@vyatta.com>
    Cc: Maithili Hinge <maithili@marvell.com>
    Cc: Kiran Divekar <dkiran@marvell.com>
    Cc: Michael Hirsch <m.hirsch@raumfeld.com>
    Cc: netdev@vger.kernel.org
    Cc: libertas-dev@lists.infradead.org
    Cc: linux-wireless@lists.infradead.org
    Cc: stable@kernel.org
    Acked-by: NHolger Schurig <holgerschurig@gmail.com>
    Acked-by: NDan Williams <dcbw@redhat.com>
    Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
    45b24168
wext.c 57.8 KB