From 3bd2da89b4d7753b9a926dca5769aa2708aee71d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Neum=C3=BCller?= Date: Tue, 9 Sep 2014 14:07:11 +0200 Subject: bcmdhd wireless: Fix more off by one errors. These were not detected by the stack protector, either because the functions where not called or because the corruption hits a local variable. Change-Id: I385c81b133ee09c28df56597df3fb25d9c063f43 --- drivers/net/wireless/bcmdhd/dhd_custom_sec.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/drivers/net/wireless/bcmdhd/dhd_custom_sec.c b/drivers/net/wireless/bcmdhd/dhd_custom_sec.c index c099490639f..d79e9d2cbc9 100644 --- a/drivers/net/wireless/bcmdhd/dhd_custom_sec.c +++ b/drivers/net/wireless/bcmdhd/dhd_custom_sec.c @@ -366,10 +366,10 @@ void get_customized_country_code(void *adapter, char *country_iso_code, wl_count int dhd_read_macaddr(struct dhd_info *dhd, struct ether_addr *mac) { struct file *fp = NULL; - char macbuffer[18] = {0}; + char macbuffer[MACBUFFER_SZ] = {0}; mm_segment_t oldfs = {0}; char randommac[3] = {0}; - char buf[18] = {0}; + char buf[MACBUFFER_SZ] = {0}; char *filepath_efs = MACINFO_EFS; int ret = 0; @@ -394,7 +394,7 @@ start_readmac: if (fp->f_mode & FMODE_WRITE) { ret = fp->f_op->write(fp, (const char *)macbuffer, - sizeof(macbuffer), &fp->f_pos); + sizeof(macbuffer) - 1 /* skip null byte */, &fp->f_pos); if (ret < 0) DHD_ERROR(("[WIFI_SEC] MAC address [%s] Failed to write into File:" " %s\n", macbuffer, filepath_efs)); @@ -462,7 +462,7 @@ int dhd_write_rdwr_macaddr(struct ether_addr *mac) char *filepath_data = MACINFO; char *filepath_efs = MACINFO_EFS; struct file *fp_mac = NULL; - char buf[18] = {0}; + char buf[MACBUFFER_SZ] = {0}; mm_segment_t oldfs = {0}; int ret = -1; @@ -484,7 +484,7 @@ int dhd_write_rdwr_macaddr(struct ether_addr *mac) if (fp_mac->f_mode & FMODE_WRITE) { ret = fp_mac->f_op->write(fp_mac, (const char *)buf, - sizeof(buf), &fp_mac->f_pos); + sizeof(buf) - 1 /* skip null byte */, &fp_mac->f_pos); if (ret < 0) DHD_ERROR(("[WIFI_SEC] Mac address [%s] Failed" " to write into File: %s\n", buf, filepath_data)); @@ -506,7 +506,7 @@ int dhd_write_rdwr_macaddr(struct ether_addr *mac) if (fp_mac->f_mode & FMODE_WRITE) { ret = fp_mac->f_op->write(fp_mac, (const char *)buf, - sizeof(buf), &fp_mac->f_pos); + sizeof(buf) - 1 /* skip null byte */, &fp_mac->f_pos); if (ret < 0) DHD_ERROR(("[WIFI_SEC] Mac address [%s] Failed" " to write into File: %s\n", buf, filepath_efs)); @@ -527,9 +527,9 @@ int dhd_check_rdwr_macaddr(struct dhd_info *dhd, dhd_pub_t *dhdp, { struct file *fp_mac = NULL; struct file *fp_nvm = NULL; - char macbuffer[18] = {0}; + char macbuffer[MACBUFFER_SZ] = {0}; char randommac[3] = {0}; - char buf[18] = {0}; + char buf[MACBUFFER_SZ] = {0}; char *filepath_data = MACINFO; char *filepath_efs = MACINFO_EFS; #ifdef CONFIG_TARGET_LOCALE_NA @@ -539,7 +539,7 @@ int dhd_check_rdwr_macaddr(struct dhd_info *dhd, dhd_pub_t *dhdp, #endif char cur_mac[128] = {0}; char dummy_mac[ETHER_ADDR_LEN] = {0x00, 0x90, 0x4C, 0xC5, 0x12, 0x38}; - char cur_macbuffer[18] = {0}; + char cur_macbuffer[MACBUFFER_SZ] = {0}; int ret = -1; g_imac_flag = MACADDR_NONE; @@ -733,10 +733,10 @@ int dhd_check_rdwr_macaddr(struct dhd_info *dhd, dhd_pub_t *dhdp, int dhd_write_rdwr_korics_macaddr(struct dhd_info *dhd, struct ether_addr *mac) { struct file *fp = NULL; - char macbuffer[18] = {0}; + char macbuffer[MACBUFFER_SZ] = {0}; mm_segment_t oldfs = {0}; char randommac[3] = {0}; - char buf[18] = {0}; + char buf[MACBUFFER_SZ] = {0}; char *filepath_efs = MACINFO_EFS; int is_zeromac = 0; int ret = 0; @@ -769,7 +769,7 @@ int dhd_write_rdwr_korics_macaddr(struct dhd_info *dhd, struct ether_addr *mac) if (fp->f_mode & FMODE_WRITE) { ret = fp->f_op->write(fp, (const char *)macbuffer, - sizeof(macbuffer), &fp->f_pos); + sizeof(macbuffer) - 1 /* skip null byte */, &fp->f_pos); if (ret < 0) DHD_ERROR(("[WIFI_SEC] Mac address [%s]" " Failed to write into File:" @@ -867,7 +867,7 @@ static void dhd_dump_cis(const unsigned char *buf, int size) int i; for (i = 0; i < size; i++) { DHD_ERROR(("%02X ", buf[i])); - if ((i % 15) == 15) DHD_ERROR(("\n")); + if ((i % 15) == 15) DHD_ERROR(("\n")); /* FIXME: Will always be false */ } DHD_ERROR(("\n")); } -- cgit v1.2.3