2008-11-08 02:36:26

by Amos Kong

[permalink] [raw]
Subject: [PATCH] nets: fix a buffer overrun


net/mac80211/debugfs_sta.c
The trailing zero was written to state[4], it's out of bounds.

Signed-off-by: Jianjun Kong <[email protected]>
---
net/mac80211/debugfs_sta.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 189d0ba..b85c4f2 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -199,7 +199,7 @@ static ssize_t sta_agg_status_write(struct file *file,
/* toggle Rx aggregation command */
tid_num = tid_num - 100;
if (tid_static_rx[tid_num] == 1) {
- strcpy(state, "off ");
+ strcpy(state, "off");
ieee80211_sta_stop_rx_ba_session(sta->sdata, da, tid_num, 0,
WLAN_REASON_QSTA_REQUIRE_SETUP);
sta->ampdu_mlme.tid_state_rx[tid_num] |=
--
1.5.6.3


2008-11-11 05:38:13

by David Miller

[permalink] [raw]
Subject: Re: [PATCH] nets: fix a buffer overrun

From: Jianjun Kong <[email protected]>
Date: Sat, 8 Nov 2008 10:35:58 +0800

> net/mac80211/debugfs_sta.c
> The trailing zero was written to state[4], it's out of bounds.
>
> Signed-off-by: Jianjun Kong <[email protected]>

Applied, thank you.