wlan: fix buffer overflow in linkspeed ioctl

In linkspeed ioctl handler, mac address array is allocated a size of MAC_ADDRESS_STR_LEN, which is 18 bytes taking account of null terminator '\0'. But in code, a null terminator is being manually added at index MAC_ADDRESS_STR_LEN. This would overflow the buffer and hence null terminator should be added at MAC_ADDRESS_STR_LEN -1. Change-Id: I16c2d0f787dfa339780db7d888aff37355c32322 CRs-fixed: 1000861
author: c_manjee <c_manjee@qti.qualcomm.com> 2016-04-26 17:01:36 +0530
committer: Anjaneedevi Kapparapu <akappa@codeaurora.org> 2016-05-02 17:26:39 +0530
commit: c4f67fd95f0baee94d8cc080c6b12e0e890939c9 (patch)
tree: 600b8abf51ac66084168f5f6d071646176d1b140
parent: 6aa2052c8a9539c329d684370a1b27e73d00ff77 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
index f821fc1c8673..f9209e8ddeaf 100644
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -6084,7 +6084,7 @@ __iw_get_softap_linkspeed(struct net_device *dev, struct iw_request_info *info,
           kfree(pmacAddress);
           return -EFAULT;
       }
-      pmacAddress[MAC_ADDRESS_STR_LEN] = '\0';
+      pmacAddress[MAC_ADDRESS_STR_LEN -1] = '\0';
 
       status = hdd_string_to_hex (pmacAddress, MAC_ADDRESS_STR_LEN, macAddress );
       kfree(pmacAddress);
author	c_manjee <c_manjee@qti.qualcomm.com>	2016-04-26 17:01:36 +0530
committer	Anjaneedevi Kapparapu <akappa@codeaurora.org>	2016-05-02 17:26:39 +0530
commit	c4f67fd95f0baee94d8cc080c6b12e0e890939c9 (patch)
tree	600b8abf51ac66084168f5f6d071646176d1b140
parent	6aa2052c8a9539c329d684370a1b27e73d00ff77 (diff)