From: Jean Tourrilhes After the Orinoco issue, I did an audit of other drivers for the same issue. Three drivers were NULL terminating the ESSID, which could cause an overflow in WE-21 when the ESSID has maximum size. Signed-off-by: Jean Tourrilhes Signed-off-by: Andrew Morton --- drivers/net/wireless/airo.c | 1 - drivers/net/wireless/atmel.c | 2 -- drivers/net/wireless/ray_cs.c | 1 - 3 files changed, 4 deletions(-) diff -puN drivers/net/wireless/airo.c~more-we-21-potential-overflows drivers/net/wireless/airo.c --- a/drivers/net/wireless/airo.c~more-we-21-potential-overflows +++ a/drivers/net/wireless/airo.c @@ -5924,7 +5924,6 @@ static int airo_get_essid(struct net_dev /* Get the current SSID */ memcpy(extra, status_rid.SSID, status_rid.SSIDlen); - extra[status_rid.SSIDlen] = '\0'; /* If none, we may want to get the one that was set */ /* Push it out ! */ diff -puN drivers/net/wireless/atmel.c~more-we-21-potential-overflows drivers/net/wireless/atmel.c --- a/drivers/net/wireless/atmel.c~more-we-21-potential-overflows +++ a/drivers/net/wireless/atmel.c @@ -1678,11 +1678,9 @@ static int atmel_get_essid(struct net_de /* Get the current SSID */ if (priv->new_SSID_size != 0) { memcpy(extra, priv->new_SSID, priv->new_SSID_size); - extra[priv->new_SSID_size] = '\0'; dwrq->length = priv->new_SSID_size; } else { memcpy(extra, priv->SSID, priv->SSID_size); - extra[priv->SSID_size] = '\0'; dwrq->length = priv->SSID_size; } diff -puN drivers/net/wireless/ray_cs.c~more-we-21-potential-overflows drivers/net/wireless/ray_cs.c --- a/drivers/net/wireless/ray_cs.c~more-we-21-potential-overflows +++ a/drivers/net/wireless/ray_cs.c @@ -1178,7 +1178,6 @@ static int ray_get_essid(struct net_devi /* Get the essid that was set */ memcpy(extra, local->sparm.b5.a_current_ess_id, IW_ESSID_MAX_SIZE); - extra[IW_ESSID_MAX_SIZE] = '\0'; /* Push it out ! */ dwrq->length = strlen(extra); _