From 1d240d370290445e08a35917700776db60ffe831 Mon Sep 17 00:00:00 2001 From: Brian Norris Date: Wed, 10 Dec 2014 01:39:18 -0800 Subject: [PATCH] brcmsmac: don't leak kernel memory via printk() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Debug code prints the fifo name via custom dev_warn() wrappers. The fifo_names array is only non-zero when debugging is manually enabled, which is all well and good. However, it's *not* good that this array uses zero-length arrays in the non-debug case, and so it doesn't actually have any memory allocated to it. This means that as far as we know, fifo_names[i] actually points to garbage memory. I've seen this in my log: [ 4601.205511] brcmsmac bcma0:1: wl0: brcms_c_d11hdrs_mac80211: �GeL txop exceeded phylen 137/256 dur 1602/1504 So let's give this array space enough to fill it with a NULL byte. Signed-off-by: Brian Norris Cc: Brett Rudley Cc: Arend van Spriel Cc: "Franky (Zhenhui) Lin" Cc: Hante Meuleman Cc: "John W. Linville" Cc: linux-wireless@vger.kernel.org Cc: brcm80211-dev-list@broadcom.com Cc: netdev@vger.kernel.org Acked-by: Arend van Spriel Signed-off-by: John W. Linville --- drivers/net/wireless/brcm80211/brcmsmac/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c index a104d7ac3796..eb8584a9c49a 100644 --- a/drivers/net/wireless/brcm80211/brcmsmac/main.c +++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c @@ -316,7 +316,7 @@ static const u16 xmtfifo_sz[][NFIFO] = { static const char * const fifo_names[] = { "AC_BK", "AC_BE", "AC_VI", "AC_VO", "BCMC", "ATIM" }; #else -static const char fifo_names[6][0]; +static const char fifo_names[6][1]; #endif #ifdef DEBUG -- 2.20.1