Dynamically allocate the probe response template which
avoids potential stack corruption. Observed with smatch:
drivers/net/wireless/brcm80211/brcmsmac/main.c:7412
brcms_c_bss_update_probe_resp()
warn: 'prb_resp' puts 512 bytes on stack
Cc: Brett Rudley <brud...@broadcom.com>
Cc: Arend van Spriel <ar...@broadcom.com>
Cc: "Franky (Zhenhui) Lin" <fran...@broadcom.com>
Cc: Hante Meuleman <meule...@broadcom.com>
Cc: "John W. Linville" <linvi...@tuxdriver.com>
Cc: Seth Forshee <seth.fors...@canonical.com>
Cc: Pieter-Paul Giesberts <piete...@broadcom.com>
Cc: Hauke Mehrtens <ha...@hauke-m.de>
Cc: linux-wirel...@vger.kernel.org
Cc: brcm80211-dev-l...@broadcom.com
Cc: net...@vger.kernel.org
Signed-off-by: Tim Gardner <tim.gard...@canonical.com>
---
drivers/net/wireless/brcm80211/brcmsmac/main.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c
b/drivers/net/wireless/brcm80211/brcmsmac/main.c
index c26992a..e392e76 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/main.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c
@@ -7408,9 +7408,16 @@ brcms_c_bss_update_probe_resp(struct brcms_c_info *wlc,
struct brcms_bss_cfg *cfg,
bool suspend)
{
- u16 prb_resp[BCN_TMPL_LEN / 2];
+ u16 *prb_resp;
int len = BCN_TMPL_LEN;
+ prb_resp = kmalloc(BCN_TMPL_LEN, GFP_ATOMIC);
+ if (!prb_resp) {
+ wiphy_err(wlc->wiphy, "wl: %s: failed to alloc %u bytes\n",
+ __func__, BCN_TMPL_LEN);
+ return;
+ }
+
/*
* write the probe response to hardware, or save in
* the config structure
@@ -7444,6 +7451,8 @@ brcms_c_bss_update_probe_resp(struct brcms_c_info *wlc,
if (suspend)
brcms_c_enable_mac(wlc);
+
+ kfree(prb_resp);
}
void brcms_c_update_probe_resp(struct brcms_c_info *wlc, bool suspend)
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
