rtl871x: avoid running off end of buffer

If 32 bytes of non zero are passed in pdata->pointer then the mac_pton
function will run off the end of the buffer. Make sure we always have a
terminated string kernel side.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index a15f3ce..1b9e249 100644 (file)
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -1961,7 +1961,7 @@ static int r871x_get_ap_info(struct net_device *dev,
        struct list_head *plist, *phead;
        unsigned char *pbuf;
        u8 bssid[ETH_ALEN];
-       char data[32];
+       char data[33];
 
        if (padapter->bDriverStopped || (pdata == NULL))
                return -EINVAL;
@@ -1976,6 +1976,7 @@ static int r871x_get_ap_info(struct net_device *dev,
        if (pdata->length >= 32) {
                if (copy_from_user(data, pdata->pointer, 32))
                        return -EINVAL;
+                data[32] = 0;
        } else {
                 return -EINVAL;
        }