From: Alan Date: Mon, 15 Feb 2016 18:58:10 +0000 (+0000) Subject: rtl871x: avoid running off end of buffer X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=0c68423556b59d1ebd65b056e7f24ab7089da401;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git rtl871x: avoid running off end of buffer If 32 bytes of non zero are passed in pdata->pointer then the mac_pton function will run off the end of the buffer. Make sure we always have a terminated string kernel side. Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c index a15f3ce70223..1b9e24900477 100644 --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c @@ -1961,7 +1961,7 @@ static int r871x_get_ap_info(struct net_device *dev, struct list_head *plist, *phead; unsigned char *pbuf; u8 bssid[ETH_ALEN]; - char data[32]; + char data[33]; if (padapter->bDriverStopped || (pdata == NULL)) return -EINVAL; @@ -1976,6 +1976,7 @@ static int r871x_get_ap_info(struct net_device *dev, if (pdata->length >= 32) { if (copy_from_user(data, pdata->pointer, 32)) return -EINVAL; + data[32] = 0; } else { return -EINVAL; }