cfg80211: off by one in ieee80211_bss()

Message ID	20130124064000.GB5611@elgon.mountain (mailing list archive)
State	Not Applicable, archived
Headers	show Return-Path: <linux-wireless-owner@vger.kernel.org> Date: Thu, 24 Jan 2013 09:40:00 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Johannes Berg <johannes@sipsolutions.net> Cc: "John W. Linville" <linville@tuxdriver.com>, linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] cfg80211: off by one in ieee80211_bss() Message-ID: <20130124064000.GB5611@elgon.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk

Message ID

20130124064000.GB5611@elgon.mountain (mailing list archive)

State

Not Applicable, archived

Headers

Date: Thu, 24 Jan 2013 09:40:00 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: "John W. Linville" <linville@tuxdriver.com>,
	linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] cfg80211: off by one in ieee80211_bss()
Message-ID: <20130124064000.GB5611@elgon.mountain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk

Commit Message

Dan Carpenter Jan. 24, 2013, 6:40 a.m. UTC

We do a:

	sprintf(buf, " Last beacon: %ums ago",
		elapsed_jiffies_msecs(bss->ts));

elapsed_jiffies_msecs() can return a 10 digit number so "buf" needs to
be 31 characters long.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Luciano Coelho Jan. 24, 2013, 7:28 a.m. UTC | #1

On Thu, 2013-01-24 at 09:40 +0300, Dan Carpenter wrote:
> We do a:
> 
> 	sprintf(buf, " Last beacon: %ums ago",
> 		elapsed_jiffies_msecs(bss->ts));
> 
> elapsed_jiffies_msecs() can return a 10 digit number so "buf" needs to
> be 31 characters long.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> index 01592d7..45f1618 100644
> --- a/net/wireless/scan.c
> +++ b/net/wireless/scan.c
> @@ -1358,7 +1358,7 @@ ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info,
>  						  &iwe, IW_EV_UINT_LEN);
>  	}
>  
> -	buf = kmalloc(30, GFP_ATOMIC);
> +	buf = kmalloc(31, GFP_ATOMIC);
>  	if (buf) {
>  		memset(&iwe, 0, sizeof(iwe));
>  		iwe.cmd = IWEVCUSTOM;

Looks good.  Also, to be on the safe side, shouldn't snprintf be used
when writing to buf as well? Same thing higher up where the same buf is
used and alloc'ed 50 bytes...

--
Luca.

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Johannes Berg Jan. 24, 2013, 2:47 p.m. UTC | #2

On Thu, 2013-01-24 at 09:40 +0300, Dan Carpenter wrote:
> We do a:
> 
> 	sprintf(buf, " Last beacon: %ums ago",
> 		elapsed_jiffies_msecs(bss->ts));
> 
> elapsed_jiffies_msecs() can return a 10 digit number so "buf" needs to
> be 31 characters long.

Applied, thanks.

johannes

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 01592d7..45f1618 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1358,7 +1358,7 @@  ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info,
 						  &iwe, IW_EV_UINT_LEN);
 	}
 
-	buf = kmalloc(30, GFP_ATOMIC);
+	buf = kmalloc(31, GFP_ATOMIC);
 	if (buf) {
 		memset(&iwe, 0, sizeof(iwe));
 		iwe.cmd = IWEVCUSTOM;

cfg80211: off by one in ieee80211_bss()

Commit Message

Comments

Patch