Skip to content

Commit

Permalink
Staging: otus: off by one in usbdrvwext_siwessid()
Browse files Browse the repository at this point in the history 
A 33 char ESSID is too long and it could cause a buffer overflow
a couple lines below when we put a NULL terminator on the end.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  • Loading branch information
Dan Carpenter authored and Greg Kroah-Hartman committed Mar 4, 2010
1 parent ed30013 commit 1c7e4a7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/staging/otus/ioctl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -930,7 +930,7 @@ int usbdrvwext_siwessid(struct net_device *dev,
return -EINVAL;

if (essid->flags == 1) {
if (essid->length > (IW_ESSID_MAX_SIZE + 1))
if (essid->length > IW_ESSID_MAX_SIZE)
return -E2BIG;

if (copy_from_user(&EssidBuf, essid->pointer, essid->length))
Expand Down

0 comments on commit 1c7e4a7

Please sign in to comment.