[patch 46/58] ath5k: fix buffer overrun in rate debug code

[Greg KH]

2.6.29-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Bob Copeland <me@xxxxxxxxxxxxxxx>

commit b7fcb5c4a4c27da2f6d86cb03d18687e537442cf upstream.

char bname[5] is too small for the string "X GHz" when the null
terminator is taken into account.  Thus, turning on rate debugging
can crash unless we have lucky stack alignment.

Cc: stable@xxxxxxxxxx
Reported-by: Paride Legovini <legovini@xxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Bob Copeland <me@xxxxxxxxxxxxxxx>
Signed-off-by: John W. Linville <linville@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
 drivers/net/wireless/ath5k/debug.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/ath5k/debug.c
+++ b/drivers/net/wireless/ath5k/debug.c
@@ -465,7 +465,7 @@ ath5k_debug_dump_bands(struct ath5k_soft
 
 	for (b = 0; b < IEEE80211_NUM_BANDS; b++) {
 		struct ieee80211_supported_band *band = &sc->sbands[b];
-		char bname[5];
+		char bname[6];
 		switch (band->band) {
 		case IEEE80211_BAND_2GHZ:
 			strcpy(bname, "2 GHz");


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/