* [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write
@ 2008-11-07 20:26 John W. Linville
2009-02-08 20:25 ` [stable] " Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: John W. Linville @ 2008-11-07 20:26 UTC (permalink / raw)
To: linux-wireless; +Cc: John W. Linville, Andrew Morton, Johannes Berg, stable
This addresses the bug report here:
http://bugzilla.kernel.org/show_bug.cgi?id=3D11975
Reported-by: Daniel Marjam=C3=A4ki <danielm77@spray.se>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
net/mac80211/debugfs_sta.c | 9 ++-------
1 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 189d0ba..2e6752a 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -184,7 +184,6 @@ static ssize_t sta_agg_status_write(struct file *fi=
le,
char buf[32];
int buf_size, rs;
unsigned int tid_num;
- char state[4];
=20
memset(buf, 0x00, sizeof(buf));
buf_size =3D min(count, (sizeof(buf)-1));
@@ -199,35 +198,31 @@ static ssize_t sta_agg_status_write(struct file *=
file,
/* toggle Rx aggregation command */
tid_num =3D tid_num - 100;
if (tid_static_rx[tid_num] =3D=3D 1) {
- strcpy(state, "off ");
ieee80211_sta_stop_rx_ba_session(sta->sdata, da, tid_num, 0,
WLAN_REASON_QSTA_REQUIRE_SETUP);
sta->ampdu_mlme.tid_state_rx[tid_num] |=3D
HT_AGG_STATE_DEBUGFS_CTL;
tid_static_rx[tid_num] =3D 0;
} else {
- strcpy(state, "on ");
sta->ampdu_mlme.tid_state_rx[tid_num] &=3D
~HT_AGG_STATE_DEBUGFS_CTL;
tid_static_rx[tid_num] =3D 1;
}
printk(KERN_DEBUG "debugfs - try switching tid %u %s\n",
- tid_num, state);
+ tid_num, tid_static_rx[tid_num] ? "on" : "off");
} else if ((tid_num >=3D 0) && (tid_num <=3D 15)) {
/* toggle Tx aggregation command */
if (tid_static_tx[tid_num] =3D=3D 0) {
- strcpy(state, "on ");
rs =3D ieee80211_start_tx_ba_session(hw, da, tid_num);
if (rs =3D=3D 0)
tid_static_tx[tid_num] =3D 1;
} else {
- strcpy(state, "off");
rs =3D ieee80211_stop_tx_ba_session(hw, da, tid_num, 1);
if (rs =3D=3D 0)
tid_static_tx[tid_num] =3D 0;
}
printk(KERN_DEBUG "debugfs - switching tid %u %s, return=3D%d\n",
- tid_num, state, rs);
+ tid_num, tid_static_tx[tid_num] ? "on" : "off", rs);
}
=20
return count;
--=20
1.5.4.3
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [stable] [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write
2008-11-07 20:26 [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write John W. Linville
@ 2009-02-08 20:25 ` Greg KH
2009-02-13 21:30 ` John W. Linville
0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2009-02-08 20:25 UTC (permalink / raw)
To: John W. Linville; +Cc: linux-wireless, Johannes Berg, Andrew Morton, stable
John, the patch below seems to have David Miller's ack that he applied
it to a tree back in November, but I don't see it in Linus's tree
anywhere. Did something happen to it?
confused,
greg k-h
On Fri, Nov 07, 2008 at 03:26:59PM -0500, John W. Linville wrote:
> This addresses the bug report here:
>=20
> http://bugzilla.kernel.org/show_bug.cgi?id=3D11975
>=20
> Reported-by: Daniel Marjam=E4ki <danielm77@spray.se>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Johannes Berg <johannes@sipsolutions.net>
> Cc: stable@kernel.org
> Signed-off-by: John W. Linville <linville@tuxdriver.com>
> ---
> net/mac80211/debugfs_sta.c | 9 ++-------
> 1 files changed, 2 insertions(+), 7 deletions(-)
>=20
> diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
> index 189d0ba..2e6752a 100644
> --- a/net/mac80211/debugfs_sta.c
> +++ b/net/mac80211/debugfs_sta.c
> @@ -184,7 +184,6 @@ static ssize_t sta_agg_status_write(struct file *=
file,
> char buf[32];
> int buf_size, rs;
> unsigned int tid_num;
> - char state[4];
> =20
> memset(buf, 0x00, sizeof(buf));
> buf_size =3D min(count, (sizeof(buf)-1));
> @@ -199,35 +198,31 @@ static ssize_t sta_agg_status_write(struct file=
*file,
> /* toggle Rx aggregation command */
> tid_num =3D tid_num - 100;
> if (tid_static_rx[tid_num] =3D=3D 1) {
> - strcpy(state, "off ");
> ieee80211_sta_stop_rx_ba_session(sta->sdata, da, tid_num, 0,
> WLAN_REASON_QSTA_REQUIRE_SETUP);
> sta->ampdu_mlme.tid_state_rx[tid_num] |=3D
> HT_AGG_STATE_DEBUGFS_CTL;
> tid_static_rx[tid_num] =3D 0;
> } else {
> - strcpy(state, "on ");
> sta->ampdu_mlme.tid_state_rx[tid_num] &=3D
> ~HT_AGG_STATE_DEBUGFS_CTL;
> tid_static_rx[tid_num] =3D 1;
> }
> printk(KERN_DEBUG "debugfs - try switching tid %u %s\n",
> - tid_num, state);
> + tid_num, tid_static_rx[tid_num] ? "on" : "off");
> } else if ((tid_num >=3D 0) && (tid_num <=3D 15)) {
> /* toggle Tx aggregation command */
> if (tid_static_tx[tid_num] =3D=3D 0) {
> - strcpy(state, "on ");
> rs =3D ieee80211_start_tx_ba_session(hw, da, tid_num);
> if (rs =3D=3D 0)
> tid_static_tx[tid_num] =3D 1;
> } else {
> - strcpy(state, "off");
> rs =3D ieee80211_stop_tx_ba_session(hw, da, tid_num, 1);
> if (rs =3D=3D 0)
> tid_static_tx[tid_num] =3D 0;
> }
> printk(KERN_DEBUG "debugfs - switching tid %u %s, return=3D%d\n",
> - tid_num, state, rs);
> + tid_num, tid_static_tx[tid_num] ? "on" : "off", rs);
> }
> =20
> return count;
> --=20
> 1.5.4.3
>=20
> _______________________________________________
> stable mailing list
> stable@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/stable
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [stable] [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write
2009-02-08 20:25 ` [stable] " Greg KH
@ 2009-02-13 21:30 ` John W. Linville
2009-02-13 23:43 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: John W. Linville @ 2009-02-13 21:30 UTC (permalink / raw)
To: Greg KH; +Cc: linux-wireless, Johannes Berg, Andrew Morton, stable
On Sun, Feb 08, 2009 at 12:25:27PM -0800, Greg KH wrote:
>
> John, the patch below seems to have David Miller's ack that he applied
> it to a tree back in November, but I don't see it in Linus's tree
> anywhere. Did something happen to it?
I think Dave applied a slightly different patch to do more-or-less
the same thing.
commit 013cd397532e5803a1625954a884d021653da720
Author: Jianjun Kong <jianjun@zeuux.org>
Date: Mon Nov 10 21:37:39 2008 -0800
mac80211: fix a buffer overrun in station debug code
net/mac80211/debugfs_sta.c
The trailing zero was written to state[4], it's out of bounds.
Signed-off-by: Jianjun Kong <jianjun@zeuux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hth!
John
--
John W. Linville Someday the world will need a hero, and you
linville@tuxdriver.com might be all we have. Be ready.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [stable] [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write
2009-02-13 21:30 ` John W. Linville
@ 2009-02-13 23:43 ` Greg KH
0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2009-02-13 23:43 UTC (permalink / raw)
To: John W. Linville; +Cc: linux-wireless, Johannes Berg, Andrew Morton, stable
On Fri, Feb 13, 2009 at 04:30:50PM -0500, John W. Linville wrote:
> On Sun, Feb 08, 2009 at 12:25:27PM -0800, Greg KH wrote:
> >
> > John, the patch below seems to have David Miller's ack that he applied
> > it to a tree back in November, but I don't see it in Linus's tree
> > anywhere. Did something happen to it?
>
> I think Dave applied a slightly different patch to do more-or-less
> the same thing.
>
> commit 013cd397532e5803a1625954a884d021653da720
> Author: Jianjun Kong <jianjun@zeuux.org>
> Date: Mon Nov 10 21:37:39 2008 -0800
Ah, thanks, I missed that, I'll go add it to the queue.
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-02-13 23:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-07 20:26 [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write John W. Linville
2009-02-08 20:25 ` [stable] " Greg KH
2009-02-13 21:30 ` John W. Linville
2009-02-13 23:43 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).