Re: 2.6.18-mm2 - oops in cache_alloc_refill()
From: Samuel Tardieu <hidden>
Date: 2006-10-03 15:58:39
Also in:
lkml
quoted
quoted
quoted
quoted
"Jean" == Jean Tourrilhes [off-list ref] writes:
Jean> @@ -2500,9 +2501,9 @@ static int orinoco_hw_get_essid(struct o
Jean> len = le16_to_cpu(essidbuf.len);
Jean> BUG_ON(len > IW_ESSID_MAX_SIZE);
Jean>
Jean> - memset(buf, 0, IW_ESSID_MAX_SIZE+1);
Jean> + memset(buf, 0, IW_ESSID_MAX_SIZE);
Jean> memcpy(buf, p, len);
Jean> - buf[len] = '\0';
Jean> + err = len;
Jean,
something bugs me here:
- either buf is supposed to be a nul-terminated string, in which
case if p is IW_ESSID_MAX_SIZE long there may be a bug (no '\0' at
the end of buf)
- either buf is not-supposed to be nul-terminated and the length
value will always be used, in which case the memset() looks
useless
I suggest that you revert the memset() to IW_ESSID_MAX_SIZE+1 so that
the last byte is cleared as well. Or am I missing something?
Sam
--
Samuel Tardieu -- sam@rfc1149.net -- http://www.rfc1149.net/