From: Dan Carpenter <error27@gmail.com>
Date: Sat, 9 Oct 2010 11:54:06 +0000 (+0200)
Subject: Staging: brcm80211: make interface name buffer smaller
X-Git-Tag: v2.6.37-rc1~60^2~3^2~184
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cbf6baac775f2e3fb61f88dcaa71e44fb34b6906;p=profile%2Fivi%2Fkernel-adaptation-intel-automotive.git

Staging: brcm80211: make interface name buffer smaller

In the original code the interface name was IFNAMSIZ + 1, but that
caused problems in dhd_ifname2idx() which does:
	strncmp(dhd->iflist[i]->name, name, IFNAMSIZ)

The wl_event_msg_t struct can only store 16 character names as well.

And thirdly there is a potential buffer overflow in dhd_op_if() because
if->net->name is IFNAMSIZ and we do:
	strcpy(ifp->net->name, ifp->name);

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/staging/brcm80211/brcmfmac/dhd_linux.c b/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
index 0088d8a..f98049b 100644
--- a/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
@@ -217,7 +217,7 @@ typedef struct dhd_if {
 	u8 mac_addr[ETHER_ADDR_LEN];	/* assigned MAC address */
 	bool attached;		/* Delayed attachment when unset */
 	bool txflowcontrol;	/* Per interface flow control indicator */
-	char name[IFNAMSIZ + 1];	/* linux interface name */
+	char name[IFNAMSIZ];	/* linux interface name */
 } dhd_if_t;
 
 /* Local private structure (extension of pub) */
@@ -1871,8 +1871,7 @@ dhd_add_if(dhd_info_t *dhd, int ifidx, void *handle, char *name,
 	memset(ifp, 0, sizeof(dhd_if_t));
 	ifp->info = dhd;
 	dhd->iflist[ifidx] = ifp;
-	strncpy(ifp->name, name, IFNAMSIZ);
-	ifp->name[IFNAMSIZ] = '\0';
+	strlcpy(ifp->name, name, IFNAMSIZ);
 	if (mac_addr != NULL)
 		memcpy(&ifp->mac_addr, mac_addr, ETHER_ADDR_LEN);