From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 14 Feb 2014 09:03:13 +0000 (+0300)
Subject: mwifiex: memory corruption in mwifiex_tdls_add_vht_capab()
X-Git-Tag: v5.15~18171^2~18^2^2~263
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c42c65c1d5863bca54e45ea25ecb24a3def29f59;p=platform%2Fkernel%2Flinux-starfive.git

mwifiex: memory corruption in mwifiex_tdls_add_vht_capab()

There is a typo here because the names are confusingly similar.  The
intent was sizeof(struct ieee80211_vht_cap) (size 12) but sizeof(struct
ieee80211_ht_cap) (size 32) was used.

Anway, it's cleaner to just specify the variable instead of the type.

Fixes: 5f6d5983394f ('mwifiex: add VHT support for TDLS')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/drivers/net/wireless/mwifiex/tdls.c b/drivers/net/wireless/mwifiex/tdls.c
index 5efd456..1ba2a16 100644
--- a/drivers/net/wireless/mwifiex/tdls.c
+++ b/drivers/net/wireless/mwifiex/tdls.c
@@ -180,7 +180,7 @@ static int mwifiex_tdls_add_vht_capab(struct mwifiex_private *priv,
 	memset(&vht_cap, 0, sizeof(struct ieee80211_vht_cap));
 
 	mwifiex_fill_vht_cap_tlv(priv, &vht_cap, priv->curr_bss_params.band);
-	memcpy(pos, &vht_cap, sizeof(struct ieee80211_ht_cap));
+	memcpy(pos, &vht_cap, sizeof(vht_cap));
 
 	return 0;
 }