wlan: fix buffer overflow in linkspeed ioctl

In linkspeed ioctl handler, mac address array is allocated a size of MAC_ADDRESS_STR_LEN, which is 18 bytes taking account of null terminator '\0'. But in code, a null terminator is being manually added at index MAC_ADDRESS_STR_LEN. This would overflow the buffer and hence null terminator should be added at MAC_ADDRESS_STR_LEN -1. Change-Id: I16c2d0f787dfa339780db7d888aff37355c32322 CRs-fixed: 1000861
author: c_manjee <c_manjee@qti.qualcomm.com> 2016-04-26 17:01:36 +0530
committer: Anjaneedevi Kapparapu <akappa@codeaurora.org> 2016-05-02 12:29:43 +0530
commit: bf09d4458716d4bb2fe2afa236ab5cc0340e8230 (patch)
tree: 600b8abf51ac66084168f5f6d071646176d1b140
parent: fa714fc70ea41cd1dc16313a87223dc26153bffa (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
index f821fc1c8673..f9209e8ddeaf 100644
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -6084,7 +6084,7 @@ __iw_get_softap_linkspeed(struct net_device *dev, struct iw_request_info *info,
           kfree(pmacAddress);
           return -EFAULT;
       }
-      pmacAddress[MAC_ADDRESS_STR_LEN] = '\0';
+      pmacAddress[MAC_ADDRESS_STR_LEN -1] = '\0';
 
       status = hdd_string_to_hex (pmacAddress, MAC_ADDRESS_STR_LEN, macAddress );
       kfree(pmacAddress);
author	c_manjee <c_manjee@qti.qualcomm.com>	2016-04-26 17:01:36 +0530
committer	Anjaneedevi Kapparapu <akappa@codeaurora.org>	2016-05-02 12:29:43 +0530
commit	bf09d4458716d4bb2fe2afa236ab5cc0340e8230 (patch)
tree	600b8abf51ac66084168f5f6d071646176d1b140
parent	fa714fc70ea41cd1dc16313a87223dc26153bffa (diff)