[stable] Patch "wl12xx: fix potential buffer overflow in testmode nvs push" has been added to the 2.6.38-stable tree

Mon, 11 Apr 2011 14:48:29 -0700 

This is a note to let you know that I've just added the patch titled

    wl12xx: fix potential buffer overflow in testmode nvs push

to the 2.6.38-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wl12xx-fix-potential-buffer-overflow-in-testmode-nvs-push.patch
and it can be found in the queue-2.6.38 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 09b661b33268698d3b453dceb78cda129ad899b4 Mon Sep 17 00:00:00 2001
From: Luciano Coelho <[email protected]>
Date: Fri, 1 Apr 2011 19:42:02 +0300
Subject: wl12xx: fix potential buffer overflow in testmode nvs push

From: Luciano Coelho <[email protected]>

commit 09b661b33268698d3b453dceb78cda129ad899b4 upstream.

We were allocating the size of the NVS file struct and not checking
whether the length of the buffer passed was correct before copying it
into the allocated memory.  This is a security hole because buffer
overflows can occur if the userspace passes a bigger file than what is
expected.

With this patch, we check if the size of the data passed from
userspace matches the size required.

This bug was introduced in 2.6.36.

Reported-by: Ido Yariv <[email protected]>
Signed-off-by: Luciano Coelho <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 drivers/net/wireless/wl12xx/testmode.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/wl12xx/testmode.c
+++ b/drivers/net/wireless/wl12xx/testmode.c
@@ -204,7 +204,10 @@ static int wl1271_tm_cmd_nvs_push(struct
 
        kfree(wl->nvs);
 
-       wl->nvs = kzalloc(sizeof(struct wl1271_nvs_file), GFP_KERNEL);
+       if (len != sizeof(struct wl1271_nvs_file))
+               return -EINVAL;
+
+       wl->nvs = kzalloc(len, GFP_KERNEL);
        if (!wl->nvs) {
                wl1271_error("could not allocate memory for the nvs file");
                ret = -ENOMEM;


Patches currently in stable-queue which might be from [email protected] are

queue-2.6.38/wl12xx-fix-potential-buffer-overflow-in-testmode-nvs-push.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to