* [PATCH] cfg80211: Use the correct IE buffer pointer
@ 2009-04-26 9:27 Michael Buesch
0 siblings, 0 replies; only message in thread
From: Michael Buesch @ 2009-04-26 9:27 UTC (permalink / raw)
To: linville; +Cc: Johannes Berg, linux-wireless
If the IE buffer was allocated, the pub.information_elements pointer
was also changed to the allocated space. So we must not assume anymore
that the pointer points at the "found" tail.
So if it was allocated previously, take the codebranch that grows the
buffer size (if necessary) and put the data into the allocated buffer.
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
---
The original code will probably not overrun the buffer, because the buffer is always
guaranteed to be bigger than ksize(found)-used. But I think it's a bad idea anyway to poke with
a dangling pointer. ;)
net/wireless/scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- wireless-testing.orig/net/wireless/scan.c
+++ wireless-testing/net/wireless/scan.c
@@ -377,7 +377,7 @@ cfg80211_bss_update(struct cfg80211_regi
size_t used = dev->wiphy.bss_priv_size + sizeof(*res);
size_t ielen = res->pub.len_information_elements;
- if (ksize(found) >= used + ielen) {
+ if (!found->ies_allocated && ksize(found) >= used + ielen) {
memcpy(found->pub.information_elements,
res->pub.information_elements, ielen);
found->pub.len_information_elements = ielen;
--
Greetings, Michael.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2009-04-26 9:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-26 9:27 [PATCH] cfg80211: Use the correct IE buffer pointer Michael Buesch
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).