Re: 2.6.18-mm2 - oops in cache_alloc_refill()

From: Samuel Tardieu
Date: Tue Oct 03 2006 - 11:58:58 EST

Next message: Theodore Tso: "Re: wpa supplicant/ipw3945, ESSID last char missing"
Previous message: Daniel Walker: "[PATCH -rt] powerpc update"
In reply to: Valdis . Kletnieks: "Re: 2.6.18-mm2 - oops in cache_alloc_refill()"
Next in thread: Jean Tourrilhes: "Re: 2.6.18-mm2 - oops in cache_alloc_refill()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> "Jean" == Jean Tourrilhes <jt@xxxxxxxxxx> writes:

Jean> @@ -2500,9 +2501,9 @@ static int orinoco_hw_get_essid(struct o
Jean> len = le16_to_cpu(essidbuf.len);
Jean> BUG_ON(len > IW_ESSID_MAX_SIZE);
Jean>
Jean> - memset(buf, 0, IW_ESSID_MAX_SIZE+1);
Jean> + memset(buf, 0, IW_ESSID_MAX_SIZE);
Jean> memcpy(buf, p, len);
Jean> - buf[len] = '\0';
Jean> + err = len;

Jean,

something bugs me here:

- either buf is supposed to be a nul-terminated string, in which
case if p is IW_ESSID_MAX_SIZE long there may be a bug (no '\0' at
the end of buf)

- either buf is not-supposed to be nul-terminated and the length
value will always be used, in which case the memset() looks
useless

I suggest that you revert the memset() to IW_ESSID_MAX_SIZE+1 so that
the last byte is cleared as well. Or am I missing something?

Sam
--
Samuel Tardieu -- sam@xxxxxxxxxxx -- http://www.rfc1149.net/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Theodore Tso: "Re: wpa supplicant/ipw3945, ESSID last char missing"
Previous message: Daniel Walker: "[PATCH -rt] powerpc update"
In reply to: Valdis . Kletnieks: "Re: 2.6.18-mm2 - oops in cache_alloc_refill()"
Next in thread: Jean Tourrilhes: "Re: 2.6.18-mm2 - oops in cache_alloc_refill()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]