staging: rtl8712: Fix possible buffer overrun

In commit 8b7a13c3f4 ("staging: r8712u: Fix possible buffer
overrun") we fix a potential off by one by making the limit smaller.
The better fix is to make the buffer larger.  This makes it match up
with the similar code in other drivers.

Fixes: 8b7a13c3f4 ("staging: r8712u: Fix possible buffer overrun")
Signed-off-by: Young Xiao <YangX92@hotmail.com>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Young Xiao 2018-11-28 08:06:53 +00:00 committed by Greg Kroah-Hartman
parent 2595646791
commit 300cd66486
2 changed files with 2 additions and 2 deletions

View File

@ -146,7 +146,7 @@ void r8712_report_sec_ie(struct _adapter *adapter, u8 authmode, u8 *sec_ie)
p = buff; p = buff;
p += sprintf(p, "ASSOCINFO(ReqIEs="); p += sprintf(p, "ASSOCINFO(ReqIEs=");
len = sec_ie[1] + 2; len = sec_ie[1] + 2;
len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1; len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
for (i = 0; i < len; i++) for (i = 0; i < len; i++)
p += sprintf(p, "%02x", sec_ie[i]); p += sprintf(p, "%02x", sec_ie[i]);
p += sprintf(p, ")"); p += sprintf(p, ")");

View File

@ -1346,7 +1346,7 @@ sint r8712_restruct_sec_ie(struct _adapter *adapter, u8 *in_ie,
u8 *out_ie, uint in_len) u8 *out_ie, uint in_len)
{ {
u8 authmode = 0, match; u8 authmode = 0, match;
u8 sec_ie[255], uncst_oui[4], bkup_ie[255]; u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01}; u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
uint ielength, cnt, remove_cnt; uint ielength, cnt, remove_cnt;
int iEntry; int iEntry;