--- net/wireless/wext.c

+++ net/wireless/wext.c

@@ -854,6 +854,22 @@ static int ioctl_standard_iw_point(struc

}

}

+ if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {

+ /*

+ * If this is a GET, but not NOMAX, it means that the extra

+ * data is not bounded by userspace, but by max_tokens. Thus

+ * set the length to max_tokens. This matches the extra data

+ * allocation.

+ * The driver should fill it with the number of tokens it

+ * provided, and it may check iwp->length rather than having

+ * knowledge of max_tokens. If the driver doesn't change the

+ * iwp->length, this ioctl just copies back max_token tokens

+ * filled with zeroes. Hopefully the driver isn't claiming

+ * them to be valid data.

+ */

+ iwp->length = descr->max_tokens;

+ }

+

err = handler(dev, info, (union iwreq_data *) iwp, extra);

iwp->length += essid_compat;

@@ -1013,7 +1029,7 @@ static int ioctl_private_iw_point(struct

} else if (!iwp->pointer)

return -EFAULT;

- extra = kmalloc(extra_size, GFP_KERNEL);

+ extra = kzalloc(extra_size, GFP_KERNEL);

if (!extra)

return -ENOMEM;