From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sun, 23 Sep 2012 16:33:00 +0000 (+0300)
Subject: mwifiex: potential corruption in mwifiex_update_uap_custom_ie()
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=fd0fc5218dc31d446fd108a6a571702a7c9bec29;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git

mwifiex: potential corruption in mwifiex_update_uap_custom_ie()

ap_custom_ie is a struct mwifiex_ie_list which is quite different and
also larger than struct mwifiex_ie.  It's a difference between 4196
bytes and 262.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Stone Piao <piaoyun@marvell.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/drivers/net/wireless/mwifiex/ie.c b/drivers/net/wireless/mwifiex/ie.c
index 1d8dd003e396..fa3a80fb8c01 100644
--- a/drivers/net/wireless/mwifiex/ie.c
+++ b/drivers/net/wireless/mwifiex/ie.c
@@ -160,7 +160,7 @@ mwifiex_update_uap_custom_ie(struct mwifiex_private *priv,
 	u16 len;
 	int ret;
 
-	ap_custom_ie = kzalloc(sizeof(struct mwifiex_ie), GFP_KERNEL);
+	ap_custom_ie = kzalloc(sizeof(*ap_custom_ie), GFP_KERNEL);
 	if (!ap_custom_ie)
 		return -ENOMEM;