From: Dan Carpenter <error27@gmail.com>
To: Brett Rudley <brudley@broadcom.com>
Cc: Henry Ptasinski <henryp@broadcom.com>,
Nohee Ko <noheek@broadcom.com>,
Greg Kroah-Hartman <gregkh@suse.de>,
Jason Cooper <jason@lakedaemon.net>,
Grant Grundler <grundler@chromium.org>,
linux-wireless@vger.kernel.org, devel@driverdev.osuosl.org,
kernel-janitors@vger.kernel.org
Subject: [patch] Staging: brcm80211: make interface name buffer smaller
Date: Sat, 9 Oct 2010 13:54:06 +0200 [thread overview]
Message-ID: <20101009115406.GR11681@bicker> (raw)
In the original code the interface name was IFNAMSIZ + 1, but that
caused problems in dhd_ifname2idx() which does:
strncmp(dhd->iflist[i]->name, name, IFNAMSIZ)
The wl_event_msg_t struct can only store 16 character names as well.
And thirdly there is a potential buffer overflow in dhd_op_if() because
if->net->name is IFNAMSIZ and we do:
strcpy(ifp->net->name, ifp->name);
Signed-off-by: Dan Carpenter <error27@gmail.com>
diff --git a/drivers/staging/brcm80211/brcmfmac/dhd_linux.c b/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
index 72eed5b..d513069 100644
--- a/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
@@ -217,7 +217,7 @@ typedef struct dhd_if {
u8 mac_addr[ETHER_ADDR_LEN]; /* assigned MAC address */
bool attached; /* Delayed attachment when unset */
bool txflowcontrol; /* Per interface flow control indicator */
- char name[IFNAMSIZ + 1]; /* linux interface name */
+ char name[IFNAMSIZ]; /* linux interface name */
} dhd_if_t;
/* Local private structure (extension of pub) */
@@ -1871,8 +1871,7 @@ dhd_add_if(dhd_info_t *dhd, int ifidx, void *handle, char *name,
memset(ifp, 0, sizeof(dhd_if_t));
ifp->info = dhd;
dhd->iflist[ifidx] = ifp;
- strncpy(ifp->name, name, IFNAMSIZ);
- ifp->name[IFNAMSIZ] = '\0';
+ strlcpy(ifp->name, name, IFNAMSIZ);
if (mac_addr != NULL)
memcpy(&ifp->mac_addr, mac_addr, ETHER_ADDR_LEN);
reply other threads:[~2010-10-09 11:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101009115406.GR11681@bicker \
--to=error27@gmail.com \
--cc=brudley@broadcom.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@suse.de \
--cc=grundler@chromium.org \
--cc=henryp@broadcom.com \
--cc=jason@lakedaemon.net \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=noheek@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).