[PATCH 3.4 12/12] staging: wlags49_h2: buffer overflow setting station name
3.4-stable review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream. We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. [XiuQi: Backported to 3.4: Adjust context] Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Xie XiuQi Signed-off-by: Greg Kroah-Hartman --- drivers/staging/wlags49_h2/wl_priv.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/staging/wlags49_h2/wl_priv.c +++ b/drivers/staging/wlags49_h2/wl_priv.c @@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u ltv_t *pLtv; bool_t ltvAllocated = FALSE; ENCSTRCTsEncryption; + size_t len; #ifdef USE_WDS hcf_16 hcfPort = HCF_PORT_0; @@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u break; case CFG_CNF_OWN_NAME: memset( lp->StationName, 0, sizeof( lp->StationName )); - memcpy( (void *)lp->StationName, (void *)>u.u8[2], (size_t)pLtv->u.u16[0]); + len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName)); + strlcpy(lp->StationName, >u.u8[2], len); pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] ); break; case CFG_CNF_LOAD_BALANCING: @@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne { struct wl_private *lp = wl_priv(dev); unsigned long flags; + size_t len; int ret = 0; /**/ @@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct ne memset( lp->StationName, 0, sizeof( lp->StationName )); -memcpy( lp->StationName, extra, wrqu->data.length); + len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName)); + strlcpy(lp->StationName, extra, len); /* Commit the adapter parameters */ wl_apply( lp ); -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.4 12/12] staging: wlags49_h2: buffer overflow setting station name
3.4-stable review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter dan.carpen...@oracle.com commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream. We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. [XiuQi: Backported to 3.4: Adjust context] Reported-by: Nico Golde n...@ngolde.de Reported-by: Fabian Yamaguchi f...@goesec.de Signed-off-by: Dan Carpenter dan.carpen...@oracle.com Signed-off-by: Linus Torvalds torva...@linux-foundation.org Signed-off-by: Xie XiuQi xiexi...@huawei.com Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org --- drivers/staging/wlags49_h2/wl_priv.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/staging/wlags49_h2/wl_priv.c +++ b/drivers/staging/wlags49_h2/wl_priv.c @@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u ltv_t *pLtv; bool_t ltvAllocated = FALSE; ENCSTRCTsEncryption; + size_t len; #ifdef USE_WDS hcf_16 hcfPort = HCF_PORT_0; @@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u break; case CFG_CNF_OWN_NAME: memset( lp-StationName, 0, sizeof( lp-StationName )); - memcpy( (void *)lp-StationName, (void *)pLtv-u.u8[2], (size_t)pLtv-u.u16[0]); + len = min_t(size_t, pLtv-u.u16[0], sizeof(lp-StationName)); + strlcpy(lp-StationName, pLtv-u.u8[2], len); pLtv-u.u16[0] = CNV_INT_TO_LITTLE( pLtv-u.u16[0] ); break; case CFG_CNF_LOAD_BALANCING: @@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne { struct wl_private *lp = wl_priv(dev); unsigned long flags; + size_t len; int ret = 0; /**/ @@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct ne memset( lp-StationName, 0, sizeof( lp-StationName )); -memcpy( lp-StationName, extra, wrqu-data.length); + len = min_t(size_t, wrqu-data.length, sizeof(lp-StationName)); + strlcpy(lp-StationName, extra, len); /* Commit the adapter parameters */ wl_apply( lp ); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/