Staging: rtl8712: fix math errors in snprintf()

The original code had calls to snprintf(p, 7, "wpa_ie=") but that string
is 8 characters (because snprintf() puts a NUL terminator on the end).
So instead of an '=' the what gets written to buf is a NUL terminator
followed by the rest of the string.

And actually the %02x formats are three chars as well when you include
the terminator.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index 0d288c159c1d7dd9151879d777b25bd582f974dc..221be81c85eb846497308b86f510100e00d9158a 100644 (file)
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -281,18 +281,20 @@ static inline char *translate_scan(struct _adapter *padapter,
        /* parsing WPA/WPA2 IE */
        {
                u16 wpa_len = 0, rsn_len = 0;
-               u8 *p;
+               int n;
                sint out_len = 0;
                out_len = r8712_get_sec_ie(pnetwork->network.IEs,
                                           pnetwork->network.
                                           IELength, rsn_ie, &rsn_len,
                                           wpa_ie, &wpa_len);
                if (wpa_len > 0) {
-                       p = buf;
                        memset(buf, 0, MAX_WPA_IE_LEN);
-                       p += snprintf(p, 7, "wpa_ie=");
-                       for (i = 0; i < wpa_len; i++)
-                               p += snprintf(p, 2, "%02x", wpa_ie[i]);
+                       n = sprintf(buf, "wpa_ie=");
+                       for (i = 0; i < wpa_len; i++) {
+                               n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", wpa_ie[i]);
+                               if (n >= MAX_WPA_IE_LEN)
+                                       break;
+                       }
                        memset(&iwe, 0, sizeof(iwe));
                        iwe.cmd = IWEVCUSTOM;
                        iwe.u.data.length = (u16)strlen(buf);
@@ -305,11 +307,13 @@ static inline char *translate_scan(struct _adapter *padapter,
                                &iwe, wpa_ie);
                }
                if (rsn_len > 0) {
-                       p = buf;
                        memset(buf, 0, MAX_WPA_IE_LEN);
-                       p += snprintf(p, 7, "rsn_ie=");
-                       for (i = 0; i < rsn_len; i++)
-                               p += snprintf(p, 2, "%02x", rsn_ie[i]);
+                       n = sprintf(buf, "rsn_ie=");
+                       for (i = 0; i < rsn_len; i++) {
+                               n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", rsn_ie[i]);
+                               if (n >= MAX_WPA_IE_LEN)
+                                       break;
+                       }
                        memset(&iwe, 0, sizeof(iwe));
                        iwe.cmd = IWEVCUSTOM;
                        iwe.u.data.length = strlen(buf);