]>
Commit | Line | Data |
---|---|---|
d3cd607a GKH |
1 | From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001 |
2 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
3 | Date: Mon, 21 Sep 2015 19:19:53 +0300 | |
4 | Subject: mwifiex: fix mwifiex_rdeeprom_read() | |
5 | ||
6 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
7 | ||
8 | commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream. | |
9 | ||
10 | There were several bugs here. | |
11 | ||
12 | 1) The done label was in the wrong place so we didn't copy any | |
13 | information out when there was no command given. | |
14 | ||
15 | 2) We were using PAGE_SIZE as the size of the buffer instead of | |
16 | "PAGE_SIZE - pos". | |
17 | ||
18 | 3) snprintf() returns the number of characters that would have been | |
19 | printed if there were enough space. If there was not enough space | |
20 | (and we had fixed the memory corruption bug #2) then it would result | |
21 | in an information leak when we do simple_read_from_buffer(). I've | |
22 | changed it to use scnprintf() instead. | |
23 | ||
24 | I also removed the initialization at the start of the function, because | |
25 | I thought it made the code a little more clear. | |
26 | ||
27 | Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver') | |
28 | Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> | |
29 | Acked-by: Amitkumar Karwar <akarwar@marvell.com> | |
30 | Signed-off-by: Kalle Valo <kvalo@codeaurora.org> | |
31 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
32 | ||
33 | --- | |
34 | drivers/net/wireless/mwifiex/debugfs.c | 14 +++++++------- | |
35 | 1 file changed, 7 insertions(+), 7 deletions(-) | |
36 | ||
37 | --- a/drivers/net/wireless/mwifiex/debugfs.c | |
38 | +++ b/drivers/net/wireless/mwifiex/debugfs.c | |
39 | @@ -637,7 +637,7 @@ mwifiex_rdeeprom_read(struct file *file, | |
40 | (struct mwifiex_private *) file->private_data; | |
41 | unsigned long addr = get_zeroed_page(GFP_KERNEL); | |
42 | char *buf = (char *) addr; | |
43 | - int pos = 0, ret = 0, i; | |
44 | + int pos, ret, i; | |
45 | u8 value[MAX_EEPROM_DATA]; | |
46 | ||
47 | if (!buf) | |
48 | @@ -645,7 +645,7 @@ mwifiex_rdeeprom_read(struct file *file, | |
49 | ||
50 | if (saved_offset == -1) { | |
51 | /* No command has been given */ | |
52 | - pos += snprintf(buf, PAGE_SIZE, "0"); | |
53 | + pos = snprintf(buf, PAGE_SIZE, "0"); | |
54 | goto done; | |
55 | } | |
56 | ||
57 | @@ -654,17 +654,17 @@ mwifiex_rdeeprom_read(struct file *file, | |
58 | (u16) saved_bytes, value); | |
59 | if (ret) { | |
60 | ret = -EINVAL; | |
61 | - goto done; | |
62 | + goto out_free; | |
63 | } | |
64 | ||
65 | - pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); | |
66 | + pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); | |
67 | ||
68 | for (i = 0; i < saved_bytes; i++) | |
69 | - pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]); | |
70 | - | |
71 | - ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); | |
72 | + pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]); | |
73 | ||
74 | done: | |
75 | + ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); | |
76 | +out_free: | |
77 | free_page(addr); | |
78 | return ret; | |
79 | } |