skyfall/rtl8188eu
1
0
Fork 0
mirror of https://github.com/lwfinger/rtl8188eu.git synced 2024-11-22 12:33:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

rtl8188eu: Move buffer off stack in translate_scan()

Browse source 
A user has reported a kernel panic that points to a stack overflow in
this routine. The array that was moved is only 64 bytes, but perhaps
the stack space is really tight.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
This commit is contained in:
Larry Finger 2016-01-21 19:32:54 -06:00
parent e2a86fc287
commit 596818fee3
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
os_dep/ioctl_linux.c
View file

@ -190,7 +190,7 @@ static char *translate_scan(struct adapter *padapter,
u16 cap;
__le16 le_tmp;
u32 ht_ielen = 0;
char custom[MAX_CUSTOM_LEN];
char *custom;
char *p;
u16 max_rate = 0, rate, ht_cap = false;
u32 i = 0;
@ -319,6 +319,9 @@ static char *translate_scan(struct adapter *padapter,
/*Add basic and extended rates */
max_rate = 0;
custom = kzalloc(MAX_CUSTOM_LEN, GFP_ATOMIC);
if (!custom)
return start;
p = custom;
p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): ");
while (pnetwork->network.SupportedRates[i] != 0) {
@ -429,6 +432,7 @@ static char *translate_scan(struct adapter *padapter,
iwe.u.qual.qual = (u8)sq; /* signal quality */
iwe.u.qual.noise = 0; /* noise level */
start = iwe_stream_add_event(info, start, stop, &iwe, IW_EV_QUAL_LEN);
kfree(custom);
return start;
}