[PATCH] wireless: More WE-21 potential overflows...

After the Orinoco issue, I did an audit of other drivers for the same
issue.  Three drivers were NULL terminating the ESSID, which could cause an
overflow in WE-21 when the ESSID has maximum size.

Signed-off-by: Jean Tourrilhes <jt@hpl.hp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
index 9d5427a..e0710fa 100644 (file)
--- a/drivers/net/wireless/airo.c
+++ b/drivers/net/wireless/airo.c
@@ -5970,7 +5970,6 @@ static int airo_get_essid(struct net_device *dev,
 
        /* Get the current SSID */
        memcpy(extra, status_rid.SSID, status_rid.SSIDlen);
-       extra[status_rid.SSIDlen] = '\0';
        /* If none, we may want to get the one that was set */
 
        /* Push it out ! */

diff --git a/drivers/net/wireless/atmel.c b/drivers/net/wireless/atmel.c
index 31eed85..0c07b8b 100644 (file)
--- a/drivers/net/wireless/atmel.c
+++ b/drivers/net/wireless/atmel.c
@@ -1678,11 +1678,9 @@ static int atmel_get_essid(struct net_device *dev,
        /* Get the current SSID */
        if (priv->new_SSID_size != 0) {
                memcpy(extra, priv->new_SSID, priv->new_SSID_size);
-               extra[priv->new_SSID_size] = '\0';
                dwrq->length = priv->new_SSID_size;
        } else {
                memcpy(extra, priv->SSID, priv->SSID_size);
-               extra[priv->SSID_size] = '\0';
                dwrq->length = priv->SSID_size;
        }
 

diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
index 0b381d7..7fbfc9e 100644 (file)
--- a/drivers/net/wireless/ray_cs.c
+++ b/drivers/net/wireless/ray_cs.c
@@ -1198,7 +1198,6 @@ static int ray_get_essid(struct net_device *dev,
 
        /* Get the essid that was set */
        memcpy(extra, local->sparm.b5.a_current_ess_id, IW_ESSID_MAX_SIZE);
-       extra[IW_ESSID_MAX_SIZE] = '\0';
 
        /* Push it out ! */
        dwrq->length = strlen(extra);