diff options
| author | Peter Huewe <peterhuewe@gmx.de> | 2013-02-14 04:08:55 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-02-14 09:26:23 -0800 |
| commit | 67a88e6390e52e42b72342a88fab458ada00ba28 (patch) | |
| tree | 23bec107be525564cd07f6b3cf6e3011f05324a6 /drivers/staging | |
| parent | fae7e4d39373305cf505d1f0871a4491897d56f9 (diff) | |
| download | linux-67a88e6390e52e42b72342a88fab458ada00ba28.tar.gz linux-67a88e6390e52e42b72342a88fab458ada00ba28.tar.bz2 linux-67a88e6390e52e42b72342a88fab458ada00ba28.zip | |
staging/rtl8192u/ieee80211: Fix buffer overflow in ieee80211_softmac_wx.c
Clang/scan-build complains about a possible buffer overflow in
ieee80211_wx_get_name:
.../staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c:499:3:
warning: String copy function overflows destination buffer
strcat(wrqu->name," link..");
.../staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c:497:3:
warning: String copy function overflows destination buffer
strcat(wrqu->name," linked");
The buffer wrqu->name is only IFNAMSIZ bytes big (currently 16),
so if we have a "802.11b/g/n linked" device we overrun the buffer by 3
bytes.
-> Use strlcopy / strlcat to populate the name.
This is done in a similar fashion in
staging/rtl8187se/ieee80211/ieee80211_softmac_wx.c
While at it cleaned some whitespace issues.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging')
| -rw-r--r-- | drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c index 45422db81488..60746b8b1eb0 100644 --- a/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c +++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c @@ -482,22 +482,23 @@ int ieee80211_wx_get_name(struct ieee80211_device *ieee, struct iw_request_info *info, union iwreq_data *wrqu, char *extra) { - strcpy(wrqu->name, "802.11"); - if(ieee->modulation & IEEE80211_CCK_MODULATION){ - strcat(wrqu->name, "b"); - if(ieee->modulation & IEEE80211_OFDM_MODULATION) - strcat(wrqu->name, "/g"); - }else if(ieee->modulation & IEEE80211_OFDM_MODULATION) - strcat(wrqu->name, "g"); - if (ieee->mode & (IEEE_N_24G | IEEE_N_5G)) - strcat(wrqu->name, "/n"); + strlcpy(wrqu->name, "802.11", IFNAMSIZ); + if (ieee->modulation & IEEE80211_CCK_MODULATION) { + strlcat(wrqu->name, "b", IFNAMSIZ); + if (ieee->modulation & IEEE80211_OFDM_MODULATION) + strlcat(wrqu->name, "/g", IFNAMSIZ); + } else if (ieee->modulation & IEEE80211_OFDM_MODULATION) { + strlcat(wrqu->name, "g", IFNAMSIZ); + } - if((ieee->state == IEEE80211_LINKED) || - (ieee->state == IEEE80211_LINKED_SCANNING)) - strcat(wrqu->name," linked"); - else if(ieee->state != IEEE80211_NOLINK) - strcat(wrqu->name," link.."); + if (ieee->mode & (IEEE_N_24G | IEEE_N_5G)) + strlcat(wrqu->name, "/n", IFNAMSIZ); + if ((ieee->state == IEEE80211_LINKED) || + (ieee->state == IEEE80211_LINKED_SCANNING)) + strlcat(wrqu->name, " linked", IFNAMSIZ); + else if (ieee->state != IEEE80211_NOLINK) + strlcat(wrqu->name, " link..", IFNAMSIZ); return 0; } |