mac80211: minstrels: fix buffer overflow in HT debugfs rc_stats

[cascardo/linux.git] / net / mac80211 / rc80211_minstrel_debugfs.c

diff --git a/net/mac80211/rc80211_minstrel_debugfs.c b/net/mac80211/rc80211_minstrel_debugfs.c
index edde723..2acab1b 100644 (file)
--- a/net/mac80211/rc80211_minstrel_debugfs.c
+++ b/net/mac80211/rc80211_minstrel_debugfs.c
@@ -62,14 +62,14 @@ minstrel_stats_open(struct inode *inode, struct file *file)
        unsigned int i, tp, prob, eprob;
        char *p;
 
-       ms = kmalloc(sizeof(*ms) + 4096, GFP_KERNEL);
+       ms = kmalloc(2048, GFP_KERNEL);
        if (!ms)
                return -ENOMEM;
 
        file->private_data = ms;
        p = ms->buf;
-       p += sprintf(p, "rate      throughput  ewma prob  this prob  "
-                       "this succ/attempt   success    attempts\n");
+       p += sprintf(p, "rate          tpt eprob *prob"
+                       "  *ok(*cum)        ok(      cum)\n");
        for (i = 0; i < mi->n_rates; i++) {
                struct minstrel_rate *mr = &mi->r[i];
                struct minstrel_rate_stats *mrs = &mi->r[i].stats;
@@ -86,8 +86,8 @@ minstrel_stats_open(struct inode *inode, struct file *file)
                prob = MINSTREL_TRUNC(mrs->cur_prob * 1000);
                eprob = MINSTREL_TRUNC(mrs->probability * 1000);
 
-               p += sprintf(p, "  %6u.%1u   %6u.%1u   %6u.%1u        "
-                               "   %3u(%3u)  %8llu    %8llu\n",
+               p += sprintf(p, " %4u.%1u %3u.%1u %3u.%1u"
+                               " %4u(%4u) %9llu(%9llu)\n",
                                tp / 10, tp % 10,
                                eprob / 10, eprob % 10,
                                prob / 10, prob % 10,
@@ -102,6 +102,8 @@ minstrel_stats_open(struct inode *inode, struct file *file)
                        mi->sample_packets);
        ms->len = p - ms->buf;
 
+       WARN_ON(ms->len + sizeof(*ms) > 2048);
+
        return 0;
 }