Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1030239AbWJCP6j (ORCPT ); Tue, 3 Oct 2006 11:58:39 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1030257AbWJCP6j (ORCPT ); Tue, 3 Oct 2006 11:58:39 -0400 Received: from anyanka.rfc1149.net ([81.56.47.149]:57067 "EHLO mail2.rfc1149.net") by vger.kernel.org with ESMTP id S1030239AbWJCP6i (ORCPT ); Tue, 3 Oct 2006 11:58:38 -0400 To: jt@hpl.hp.com Cc: Valdis.Kletnieks@vt.edu, "John W. Linville" , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: Re: 2.6.18-mm2 - oops in cache_alloc_refill() References: <20060928014623.ccc9b885.akpm@osdl.org> <200609290319.k8T3JOwS005455@turing-police.cc.vt.edu> <20060928202931.dc324339.akpm@osdl.org> <200609291519.k8TFJfvw004256@turing-police.cc.vt.edu> <20060929124558.33ef6c75.akpm@osdl.org> <200609300001.k8U01sPI004389@turing-police.cc.vt.edu> <20060929182008.fee2a229.akpm@osdl.org> <20061002175245.GA14744@bougret.hpl.hp.com> Date: 03 Oct 2006 17:58:31 +0200 In-Reply-To: <20061002175245.GA14744@bougret.hpl.hp.com> User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Samuel Tardieu Organization: RFC 1149 (see http://www.rfc1149.net/) Content-Transfer-Encoding: 8bit X-WWW: http://www.rfc1149.net/sam X-Jabber: (see http://www.jabber.org/) X-OpenPGP-Fingerprint: 79C0 AE3C CEA8 F17B 0EF1 45A5 F133 2241 1B80 ADE6 (see http://www.gnupg.org/) Message-Id: <2006-10-03-17-58-31+trackit+sam@rfc1149.net> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1160 Lines: 30 >>>>> "Jean" == Jean Tourrilhes writes: Jean> @@ -2500,9 +2501,9 @@ static int orinoco_hw_get_essid(struct o Jean> len = le16_to_cpu(essidbuf.len); Jean> BUG_ON(len > IW_ESSID_MAX_SIZE); Jean> Jean> - memset(buf, 0, IW_ESSID_MAX_SIZE+1); Jean> + memset(buf, 0, IW_ESSID_MAX_SIZE); Jean> memcpy(buf, p, len); Jean> - buf[len] = '\0'; Jean> + err = len; Jean, something bugs me here: - either buf is supposed to be a nul-terminated string, in which case if p is IW_ESSID_MAX_SIZE long there may be a bug (no '\0' at the end of buf) - either buf is not-supposed to be nul-terminated and the length value will always be used, in which case the memset() looks useless I suggest that you revert the memset() to IW_ESSID_MAX_SIZE+1 so that the last byte is cleared as well. Or am I missing something? Sam -- Samuel Tardieu -- sam@rfc1149.net -- http://www.rfc1149.net/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/