mwifiex: potential corruption in mwifiex_update_uap_custom_ie()

ap_custom_ie is a struct mwifiex_ie_list which is quite different and
also larger than struct mwifiex_ie.  It's a difference between 4196
bytes and 262.

Signed-off-by: Dan Carpenter <[email protected]>
Tested-by: Stone Piao <[email protected]>
Acked-by: Bing Zhao <[email protected]>
Signed-off-by: John W. Linville <[email protected]>

diff --git a/drivers/net/wireless/mwifiex/ie.c b/drivers/net/wireless/mwifiex/ie.c
index 1d8dd003e39617124ff87d92d2d3437391b7ba84..fa3a80fb8c01e5b4c194aacd32d66dec934307bb 100644 (file)
--- a/drivers/net/wireless/mwifiex/ie.c
+++ b/drivers/net/wireless/mwifiex/ie.c
@@ -160,7 +160,7 @@ mwifiex_update_uap_custom_ie(struct mwifiex_private *priv,
        u16 len;
        int ret;
 
-       ap_custom_ie = kzalloc(sizeof(struct mwifiex_ie), GFP_KERNEL);
+       ap_custom_ie = kzalloc(sizeof(*ap_custom_ie), GFP_KERNEL);
        if (!ap_custom_ie)
                return -ENOMEM;