In dgrp_receive() there is:
desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN :
plen - 12;
strncpy(nd->nd_ps_desc, b + 12, desclen);
However, it's possible for plen to be <= 12 here so we'd be passing a
negative number into the strncpy(). Fix this to not make the strncpy
call and report an error if desclen is <= 0
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Bill Pemberton <[email protected]>
---
drivers/staging/dgrp/dgrp_net_ops.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/staging/dgrp/dgrp_net_ops.c
b/drivers/staging/dgrp/dgrp_net_ops.c
index d9d6b67..ab839ea 100644
--- a/drivers/staging/dgrp/dgrp_net_ops.c
+++ b/drivers/staging/dgrp/dgrp_net_ops.c
@@ -3156,6 +3156,12 @@ check_query:
nd->nd_hw_id = b[6];
desclen = ((plen - 12) >
MAX_DESC_LEN) ? MAX_DESC_LEN :
plen - 12;
+
+ if (desclen <= 0) {
+ error = "Response
Packet desclen error";
+ goto prot_error;
+ }
+
strncpy(nd->nd_ps_desc, b + 12,
desclen);
nd->nd_ps_desc[desclen] = 0;
}
--
1.7.12
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
