From d936435f2082788748ae5783cf2c006367d04bb8 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 9 Feb 2011 01:45:13 +0300 Subject: [PATCH] Staging: rtl8712: fix math errors in snprintf() The original code had calls to snprintf(p, 7, "wpa_ie=") but that string is 8 characters (because snprintf() puts a NUL terminator on the end). So instead of an '=' the what gets written to buf is a NUL terminator followed by the rest of the string. And actually the %02x formats are three chars as well when you include the terminator. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c index 0d288c159c1d..221be81c85eb 100644 --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c @@ -281,18 +281,20 @@ static inline char *translate_scan(struct _adapter *padapter, /* parsing WPA/WPA2 IE */ { u16 wpa_len = 0, rsn_len = 0; - u8 *p; + int n; sint out_len = 0; out_len = r8712_get_sec_ie(pnetwork->network.IEs, pnetwork->network. IELength, rsn_ie, &rsn_len, wpa_ie, &wpa_len); if (wpa_len > 0) { - p = buf; memset(buf, 0, MAX_WPA_IE_LEN); - p += snprintf(p, 7, "wpa_ie="); - for (i = 0; i < wpa_len; i++) - p += snprintf(p, 2, "%02x", wpa_ie[i]); + n = sprintf(buf, "wpa_ie="); + for (i = 0; i < wpa_len; i++) { + n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", wpa_ie[i]); + if (n >= MAX_WPA_IE_LEN) + break; + } memset(&iwe, 0, sizeof(iwe)); iwe.cmd = IWEVCUSTOM; iwe.u.data.length = (u16)strlen(buf); @@ -305,11 +307,13 @@ static inline char *translate_scan(struct _adapter *padapter, &iwe, wpa_ie); } if (rsn_len > 0) { - p = buf; memset(buf, 0, MAX_WPA_IE_LEN); - p += snprintf(p, 7, "rsn_ie="); - for (i = 0; i < rsn_len; i++) - p += snprintf(p, 2, "%02x", rsn_ie[i]); + n = sprintf(buf, "rsn_ie="); + for (i = 0; i < rsn_len; i++) { + n += snprintf(buf + n, MAX_WPA_IE_LEN - n, "%02x", rsn_ie[i]); + if (n >= MAX_WPA_IE_LEN) + break; + } memset(&iwe, 0, sizeof(iwe)); iwe.cmd = IWEVCUSTOM; iwe.u.data.length = strlen(buf);