[PATCH] staging: rtl8723bs: Fix possible buffer overrun

Yang Xiao YangX92 at hotmail.com
Wed Nov 28 02:22:31 UTC 2018


From: Young Xiao <YangX92 at hotmail.com>

In routine rtw_report_sec_ie(), the code could set the length
of the buffer to 256; however, that value is one larger than the
corresponding memory allocation.

See commit 8b7a13c3f404 ("staging: r8712u: Fix possible
buffer overrun") for detail.

Signed-off-by: Young Xiao <YangX92 at hotmail.com>
---
 drivers/staging/rtl8723bs/os_dep/mlme_linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
index da4bd52..085026c 100644
--- a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
@@ -165,7 +165,7 @@ void rtw_report_sec_ie(struct adapter *adapter, u8 authmode, u8 *sec_ie)
 		p += sprintf(p, "ASSOCINFO(ReqIEs =");
 
 		len = sec_ie[1] + 2;
-		len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
+		len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1;
 
 		for (i = 0; i < len; i++) {
 			p += sprintf(p, "%02x", sec_ie[i]);
-- 
2.7.4



More information about the devel mailing list