Patch "staging: ozwpan: prevent overflow in oz_cdev_write()" has been added to the 3.11-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    staging: ozwpan: prevent overflow in oz_cdev_write()

to the 3.11-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch
and it can be found in the queue-3.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From c2c65cd2e14ada6de44cb527e7f1990bede24e15 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpen...@oracle.com>
Date: Tue, 29 Oct 2013 22:07:47 +0300
Subject: staging: ozwpan: prevent overflow in oz_cdev_write()

From: Dan Carpenter <dan.carpen...@oracle.com>

commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream.

We need to check "count" so we don't overflow the ei->data buffer.

Reported-by: Nico Golde <n...@ngolde.de>
Reported-by: Fabian Yamaguchi <f...@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/staging/ozwpan/ozcdev.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/staging/ozwpan/ozcdev.c
+++ b/drivers/staging/ozwpan/ozcdev.c
@@ -152,6 +152,9 @@ static ssize_t oz_cdev_write(struct file
        struct oz_app_hdr *app_hdr;
        struct oz_serial_ctx *ctx;
 
+       if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr))
+               return -EINVAL;
+
        spin_lock_bh(&g_cdev.lock);
        pd = g_cdev.active_pd;
        if (pd)


Patches currently in stable-queue which might be from dan.carpen...@oracle.com 
are

queue-3.11/staging-wlags49_h2-buffer-overflow-setting-station-name.patch
queue-3.11/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch
queue-3.11/aacraid-missing-capable-check-in-compat-ioctl.patch
queue-3.11/staging-bcm-info-leak-in-ioctl.patch
queue-3.11/uml-check-length-in-exitcode_proc_write.patch
queue-3.11/staging-sb105x-info-leak-in-mp_get_count.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html