From 596818fee378efa7d871bfd386a387b62c09ca13 Mon Sep 17 00:00:00 2001
From: Larry Finger <Larry.Finger@lwfinger.net>
Date: Thu, 21 Jan 2016 19:32:54 -0600
Subject: [PATCH 1/2] rtl8188eu: Move buffer off stack in translate_scan()

A user has reported a kernel panic that points to a stack overflow in
this routine. The array that was moved is only 64 bytes, but perhaps
the stack space is really tight.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---
 os_dep/ioctl_linux.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/os_dep/ioctl_linux.c b/os_dep/ioctl_linux.c
index 17ab9c7..25e8c0a 100644
--- a/os_dep/ioctl_linux.c
+++ b/os_dep/ioctl_linux.c
@@ -190,7 +190,7 @@ static char *translate_scan(struct adapter *padapter,
 	u16 cap;
 	__le16 le_tmp;
 	u32 ht_ielen = 0;
-	char custom[MAX_CUSTOM_LEN];
+	char *custom;
 	char *p;
 	u16 max_rate = 0, rate, ht_cap = false;
 	u32 i = 0;
@@ -319,6 +319,9 @@ static char *translate_scan(struct adapter *padapter,
 
 	/*Add basic and extended rates */
 	max_rate = 0;
+	custom = kzalloc(MAX_CUSTOM_LEN, GFP_ATOMIC);
+	if (!custom)
+		return start;
 	p = custom;
 	p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): ");
 	while (pnetwork->network.SupportedRates[i] != 0) {
@@ -429,6 +432,7 @@ static char *translate_scan(struct adapter *padapter,
 	iwe.u.qual.qual = (u8)sq;   /*  signal quality */
 	iwe.u.qual.noise = 0; /*  noise level */
 	start = iwe_stream_add_event(info, start, stop, &iwe, IW_EV_QUAL_LEN);
+	kfree(custom);
 	return start;
 }
 

From 379691b761982516f52c7b9add555a6241f7873e Mon Sep 17 00:00:00 2001
From: Larry Finger <Larry.Finger@lwfinger.net>
Date: Thu, 21 Jan 2016 20:16:15 -0600
Subject: [PATCH 2/2] rtl8188eu: Remove additional arrays from the stack in
 translate_scan()

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---
 os_dep/ioctl_linux.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/os_dep/ioctl_linux.c b/os_dep/ioctl_linux.c
index 25e8c0a..ad79f71 100644
--- a/os_dep/ioctl_linux.c
+++ b/os_dep/ioctl_linux.c
@@ -352,11 +352,25 @@ static char *translate_scan(struct adapter *padapter,
 
 	/* parsing WPA/WPA2 IE */
 	{
-		u8 buf[MAX_WPA_IE_LEN];
-		u8 wpa_ie[255], rsn_ie[255];
+		u8 *buf;
+		u8 *wpa_ie, *rsn_ie;
 		u16 wpa_len = 0, rsn_len = 0;
 		u8 *p;
 
+		buf = kzalloc(MAX_WPA_IE_LEN, GFP_ATOMIC);
+		if (!buf)
+			goto exit;
+		wpa_ie = kzalloc(255, GFP_ATOMIC);
+		if (!wpa_ie) {
+			kfree(buf);
+			goto exit;
+		}
+		rsn_ie = kzalloc(255, GFP_ATOMIC);
+		if (!rsn_ie) {
+			kfree(buf);
+			kfree(wpa_ie);
+			goto exit;
+		}
 		rtw_get_sec_ie(pnetwork->network.IEs, pnetwork->network.IELength, rsn_ie, &rsn_len, wpa_ie, &wpa_len);
 		RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_get_scan: ssid =%s\n", pnetwork->network.Ssid.Ssid));
 		RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_get_scan: wpa_len =%d rsn_len =%d\n", wpa_len, rsn_len));
@@ -394,6 +408,9 @@ static char *translate_scan(struct adapter *padapter,
 			iwe.u.data.length = rsn_len;
 			start = iwe_stream_add_point(info, start, stop, &iwe, rsn_ie);
 		}
+		kfree(buf);
+		kfree(wpa_ie);
+		kfree(rsn_ie);
 	}
 
 	{/* parsing WPS IE */
@@ -432,6 +449,7 @@ static char *translate_scan(struct adapter *padapter,
 	iwe.u.qual.qual = (u8)sq;   /*  signal quality */
 	iwe.u.qual.noise = 0; /*  noise level */
 	start = iwe_stream_add_event(info, start, stop, &iwe, IW_EV_QUAL_LEN);
+exit:
 	kfree(custom);
 	return start;
 }