This is a note to let you know that I've just added the patch titled
staging: wlags49_h2: buffer overflow setting station name
to the 3.11-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
staging-wlags49_h2-buffer-overflow-setting-station-name.patch
and it can be found in the queue-3.11 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From b5e2f339865fb443107e5b10603e53bbc92dc054 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <[email protected]>
Date: Tue, 29 Oct 2013 23:00:15 +0300
Subject: staging: wlags49_h2: buffer overflow setting station name
From: Dan Carpenter <[email protected]>
commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
We need to check the length parameter before doing the memcpy(). I've
actually changed it to strlcpy() as well so that it's NUL terminated.
You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.
Reported-by: Nico Golde <[email protected]>
Reported-by: Fabian Yamaguchi <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq *ur
ltv_t *pLtv;
bool_t ltvAllocated = FALSE;
ENCSTRCT sEncryption;
+ size_t len;
#ifdef USE_WDS
hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq *ur
break;
case CFG_CNF_OWN_NAME:
memset(lp->StationName, 0,
sizeof(lp->StationName));
- memcpy((void *)lp->StationName, (void
*)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
+ len = min_t(size_t, pLtv->u.u16[0],
sizeof(lp->StationName));
+ strlcpy(lp->StationName,
&pLtv->u.u8[2], len);
pLtv->u.u16[0] =
CNV_INT_TO_LITTLE(pLtv->u.u16[0]);
break;
case CFG_CNF_LOAD_BALANCING:
@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct ne
{
struct wl_private *lp = wl_priv(dev);
unsigned long flags;
+ size_t len;
int ret = 0;
/*------------------------------------------------------------------------*/
@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct ne
wl_lock(lp, &flags);
memset(lp->StationName, 0, sizeof(lp->StationName));
-
- memcpy(lp->StationName, extra, wrqu->data.length);
+ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
+ strlcpy(lp->StationName, extra, len);
/* Commit the adapter parameters */
wl_apply(lp);
Patches currently in stable-queue which might be from [email protected]
are
queue-3.11/staging-wlags49_h2-buffer-overflow-setting-station-name.patch
queue-3.11/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch
queue-3.11/aacraid-missing-capable-check-in-compat-ioctl.patch
queue-3.11/staging-bcm-info-leak-in-ioctl.patch
queue-3.11/uml-check-length-in-exitcode_proc_write.patch
queue-3.11/staging-sb105x-info-leak-in-mp_get_count.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
