2013-08-09 09:52:53

by Dan Carpenter

[permalink] [raw]
Subject: [patch] Hostap: copying wrong data prism2_ioctl_giwaplist()

We want the data stored in "addr" and "qual", but the extra ampersands
mean we are copying stack data instead.

Signed-off-by: Dan Carpenter <[email protected]>
---
Static checker stuff. Untested. Should probably be applied to -stable
as well.

diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c b/drivers/net/wireless/hostap/hostap_ioctl.c
index ac07473..e509030 100644
--- a/drivers/net/wireless/hostap/hostap_ioctl.c
+++ b/drivers/net/wireless/hostap/hostap_ioctl.c
@@ -523,9 +523,9 @@ static int prism2_ioctl_giwaplist(struct net_device *dev,

data->length = prism2_ap_get_sta_qual(local, addr, qual, IW_MAX_AP, 1);

- memcpy(extra, &addr, sizeof(struct sockaddr) * data->length);
+ memcpy(extra, addr, sizeof(struct sockaddr) * data->length);
data->flags = 1; /* has quality information */
- memcpy(extra + sizeof(struct sockaddr) * data->length, &qual,
+ memcpy(extra + sizeof(struct sockaddr) * data->length, qual,
sizeof(struct iw_quality) * data->length);

kfree(addr);


2013-08-09 15:45:13

by John W. Linville

[permalink] [raw]
Subject: Re: [patch] Hostap: copying wrong data prism2_ioctl_giwaplist()

Here I must insert the obligatory question:

Does anyone actually still use the hostap driver??

John

On Fri, Aug 09, 2013 at 12:52:31PM +0300, Dan Carpenter wrote:
> We want the data stored in "addr" and "qual", but the extra ampersands
> mean we are copying stack data instead.
>
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> Static checker stuff. Untested. Should probably be applied to -stable
> as well.
>
> diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c b/drivers/net/wireless/hostap/hostap_ioctl.c
> index ac07473..e509030 100644
> --- a/drivers/net/wireless/hostap/hostap_ioctl.c
> +++ b/drivers/net/wireless/hostap/hostap_ioctl.c
> @@ -523,9 +523,9 @@ static int prism2_ioctl_giwaplist(struct net_device *dev,
>
> data->length = prism2_ap_get_sta_qual(local, addr, qual, IW_MAX_AP, 1);
>
> - memcpy(extra, &addr, sizeof(struct sockaddr) * data->length);
> + memcpy(extra, addr, sizeof(struct sockaddr) * data->length);
> data->flags = 1; /* has quality information */
> - memcpy(extra + sizeof(struct sockaddr) * data->length, &qual,
> + memcpy(extra + sizeof(struct sockaddr) * data->length, qual,
> sizeof(struct iw_quality) * data->length);
>
> kfree(addr);
>

--
John W. Linville Someday the world will need a hero, and you
[email protected] might be all we have. Be ready.