Make cfg80211_dev_rename() check sscanf return value.
Signed-off-by: Zhitong Wang <[email protected]>
---
net/wireless/core.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 80afacd..8e815b4 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -146,7 +146,9 @@ int cfg80211_dev_rename(struct cfg80211_registered_device *rdev,
int idx, taken = -1, result, digits;
/* prohibit calling the thing phy%d when %d is not its number */
- sscanf(newname, PHY_NAME "%d%n", &idx, &taken);
+ if (sscanf(newname, PHY_NAME "%d%n", &idx, &taken) != 2)
+ return -EINVAL;
+
if (taken == strlen(newname) && idx != rdev->idx) {
/* count number of places needed to print idx */
digits = 1;
--
1.6.5.3
On Sat, 2010-03-20 at 12:53 +0800, [email protected] wrote:
> Make cfg80211_dev_rename() check sscanf return value.
>
> Signed-off-by: Zhitong Wang <[email protected]>
>
> ---
> net/wireless/core.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/net/wireless/core.c b/net/wireless/core.c
> index 80afacd..8e815b4 100644
> --- a/net/wireless/core.c
> +++ b/net/wireless/core.c
> @@ -146,7 +146,9 @@ int cfg80211_dev_rename(struct cfg80211_registered_device *rdev,
> int idx, taken = -1, result, digits;
>
> /* prohibit calling the thing phy%d when %d is not its number */
> - sscanf(newname, PHY_NAME "%d%n", &idx, &taken);
> + if (sscanf(newname, PHY_NAME "%d%n", &idx, &taken) != 2)
> + return -EINVAL;
> +
Umm, no, your patch breaks it completely. Look at the logic again.
johannes