From: Tim Gardner Date: Thu, 7 Feb 2013 20:28:09 +0000 (-0700) Subject: brcmsmac: avoid 512 byte stack variable X-Git-Tag: v3.9~407^2~31^2^2~57 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0d61c9177cb9bf48dcec9c3d9205a309085d4318;p=platform%2Fkernel%2Flinux-amlogic.git brcmsmac: avoid 512 byte stack variable Dynamically allocate the probe response template which avoids potential stack corruption. Observed with smatch: drivers/net/wireless/brcm80211/brcmsmac/main.c:7412 brcms_c_bss_update_probe_resp() warn: 'prb_resp' puts 512 bytes on stack Cc: Brett Rudley Cc: Arend van Spriel Cc: "Franky (Zhenhui) Lin" Cc: Hante Meuleman Cc: "John W. Linville" Cc: Seth Forshee Cc: Pieter-Paul Giesberts Cc: Hauke Mehrtens Cc: linux-wireless@vger.kernel.org Cc: brcm80211-dev-list@broadcom.com Cc: netdev@vger.kernel.org Signed-off-by: Tim Gardner Acked-by: Arend van Spriel Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c index 080b54d..0985925 100644 --- a/drivers/net/wireless/brcm80211/brcmsmac/main.c +++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c @@ -7405,9 +7405,13 @@ brcms_c_bss_update_probe_resp(struct brcms_c_info *wlc, struct brcms_bss_cfg *cfg, bool suspend) { - u16 prb_resp[BCN_TMPL_LEN / 2]; + u16 *prb_resp; int len = BCN_TMPL_LEN; + prb_resp = kmalloc(BCN_TMPL_LEN, GFP_ATOMIC); + if (!prb_resp) + return; + /* * write the probe response to hardware, or save in * the config structure @@ -7441,6 +7445,8 @@ brcms_c_bss_update_probe_resp(struct brcms_c_info *wlc, if (suspend) brcms_c_enable_mac(wlc); + + kfree(prb_resp); } void brcms_c_update_probe_resp(struct brcms_c_info *wlc, bool suspend)