diff options
| author | Dan Carpenter <error27@gmail.com> | 2011-02-09 01:45:13 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-02-09 11:51:27 -0800 |
| commit | d936435f2082788748ae5783cf2c006367d04bb8 (patch) | |
| tree | aaebcffaaf93b2bfc46da131e2ae283f4ea9fdb0 /drivers/staging/rtl8712 | |
| parent | ec42dc2c7f6a530d16562a061cb3d00a63f8a612 (diff) | |
Staging: rtl8712: fix math errors in snprintf()
The original code had calls to snprintf(p, 7, "wpa_ie=") but that string
is 8 characters (because snprintf() puts a NUL terminator on the end).
So instead of an '=' the what gets written to buf is a NUL terminator
followed by the rest of the string.
And actually the %02x formats are three chars as well when you include
the terminator.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/staging/rtl8712')
| -rw-r--r-- | drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c index 0d288c159c1..221be81c85e 100644 --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c @@ -281,18 +281,20 @@ static inline char *translate_scan(struct _adapter *padapter, /* parsing WPA/WPA2 IE */ { u16 wpa_len = 0, rsn_len = 0; - u8 *p; + int n; sint out_len = 0; out_len = r8712_get_sec_ie(pnetwork->network.IEs, pnetwork->network. IELength, rsn_ie, &rsn_len, wpa_ie, &wpa_len); if (wpa_len > 0) { - p = buf; memset(buf, 0, MAX_WPA_IE_LEN); - p += snprintf(p, 7, "wpa_ie="); - for (i = 0; i < wpa_len; i++) - p += snprintf(p, 2, "%02x", wpa_ie[i]); + n = sprintf(buf, "wpa_ie="); + for (i = 0; i < wpa_len; i++) { + n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", wpa_ie[i]); + if (n >= MAX_WPA_IE_LEN) + break; + } memset(&iwe, 0, sizeof(iwe)); iwe.cmd = IWEVCUSTOM; iwe.u.data.length = (u16)strlen(buf); @@ -305,11 +307,13 @@ static inline char *translate_scan(struct _adapter *padapter, &iwe, wpa_ie); } if (rsn_len > 0) { - p = buf; memset(buf, 0, MAX_WPA_IE_LEN); - p += snprintf(p, 7, "rsn_ie="); - for (i = 0; i < rsn_len; i++) - p += snprintf(p, 2, "%02x", rsn_ie[i]); + n = sprintf(buf, "rsn_ie="); + for (i = 0; i < rsn_len; i++) { + n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", rsn_ie[i]); + if (n >= MAX_WPA_IE_LEN) + break; + } memset(&iwe, 0, sizeof(iwe)); iwe.cmd = IWEVCUSTOM; iwe.u.data.length = strlen(buf); |