commit: d50e7e3604778bfc2dc40f440e0742dbae399d54 From: Dan Rosenberg <[email protected]> Date: Sat, 19 Mar 2011 20:14:30 +0000 Subject: [PATCH] irda: prevent heap corruption on invalid nickname
Invalid nicknames containing only spaces will result in an underflow in a memcpy size calculation, subsequently destroying the heap and panicking. v2 also catches the case where the provided nickname is longer than the buffer size, which can result in controllable heap corruption. Signed-off-by: Dan Rosenberg <[email protected]> Cc: [email protected] Signed-off-by: David S. Miller <[email protected]> --- net/irda/irnet/irnet_ppp.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c index 7c567b8..2bb2beb 100644 --- a/net/irda/irnet/irnet_ppp.c +++ b/net/irda/irnet/irnet_ppp.c @@ -105,6 +105,9 @@ irnet_ctrl_write(irnet_socket * ap, while(isspace(start[length - 1])) length--; + DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5, + -EINVAL, CTRL_ERROR, "Invalid nickname.\n"); + /* Copy the name for later reuse */ memcpy(ap->rname, start + 5, length - 5); ap->rname[length - 5] = '\0'; _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
