[PATCH 3.4 12/12] staging: wlags49_h2: buffer overflow setting station name
3.4-stable review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
We need to check the length parameter before doing the memcpy(). I've
actually changed it to strlcpy() as well so that it's NUL terminated.
You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.
[XiuQi: Backported to 3.4: Adjust context]
Reported-by: Nico Golde
Reported-by: Fabian Yamaguchi
Signed-off-by: Dan Carpenter
Signed-off-by: Linus Torvalds
Signed-off-by: Xie XiuQi
Signed-off-by: Greg Kroah-Hartman
---
drivers/staging/wlags49_h2/wl_priv.c |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u
ltv_t *pLtv;
bool_t ltvAllocated = FALSE;
ENCSTRCTsEncryption;
+ size_t len;
#ifdef USE_WDS
hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u
break;
case CFG_CNF_OWN_NAME:
memset( lp->StationName, 0, sizeof(
lp->StationName ));
- memcpy( (void *)lp->StationName, (void
*)>u.u8[2], (size_t)pLtv->u.u16[0]);
+ len = min_t(size_t, pLtv->u.u16[0],
sizeof(lp->StationName));
+ strlcpy(lp->StationName,
>u.u8[2], len);
pLtv->u.u16[0] = CNV_INT_TO_LITTLE(
pLtv->u.u16[0] );
break;
case CFG_CNF_LOAD_BALANCING:
@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne
{
struct wl_private *lp = wl_priv(dev);
unsigned long flags;
+ size_t len;
int ret = 0;
/**/
@@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct ne
memset( lp->StationName, 0, sizeof( lp->StationName ));
-memcpy( lp->StationName, extra, wrqu->data.length);
+ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
+ strlcpy(lp->StationName, extra, len);
/* Commit the adapter parameters */
wl_apply( lp );
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.4 12/12] staging: wlags49_h2: buffer overflow setting station name
3.4-stable review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter dan.carpen...@oracle.com
commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
We need to check the length parameter before doing the memcpy(). I've
actually changed it to strlcpy() as well so that it's NUL terminated.
You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.
[XiuQi: Backported to 3.4: Adjust context]
Reported-by: Nico Golde n...@ngolde.de
Reported-by: Fabian Yamaguchi f...@goesec.de
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
Signed-off-by: Linus Torvalds torva...@linux-foundation.org
Signed-off-by: Xie XiuQi xiexi...@huawei.com
Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org
---
drivers/staging/wlags49_h2/wl_priv.c |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u
ltv_t *pLtv;
bool_t ltvAllocated = FALSE;
ENCSTRCTsEncryption;
+ size_t len;
#ifdef USE_WDS
hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u
break;
case CFG_CNF_OWN_NAME:
memset( lp-StationName, 0, sizeof(
lp-StationName ));
- memcpy( (void *)lp-StationName, (void
*)pLtv-u.u8[2], (size_t)pLtv-u.u16[0]);
+ len = min_t(size_t, pLtv-u.u16[0],
sizeof(lp-StationName));
+ strlcpy(lp-StationName,
pLtv-u.u8[2], len);
pLtv-u.u16[0] = CNV_INT_TO_LITTLE(
pLtv-u.u16[0] );
break;
case CFG_CNF_LOAD_BALANCING:
@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne
{
struct wl_private *lp = wl_priv(dev);
unsigned long flags;
+ size_t len;
int ret = 0;
/**/
@@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct ne
memset( lp-StationName, 0, sizeof( lp-StationName ));
-memcpy( lp-StationName, extra, wrqu-data.length);
+ len = min_t(size_t, wrqu-data.length, sizeof(lp-StationName));
+ strlcpy(lp-StationName, extra, len);
/* Commit the adapter parameters */
wl_apply( lp );
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
