This is a note to let you know that I've just added the patch titled
staging: ozwpan: prevent overflow in oz_cdev_write()
to the 3.11-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch
and it can be found in the queue-3.11 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From c2c65cd2e14ada6de44cb527e7f1990bede24e15 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <[email protected]>
Date: Tue, 29 Oct 2013 22:07:47 +0300
Subject: staging: ozwpan: prevent overflow in oz_cdev_write()
From: Dan Carpenter <[email protected]>
commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream.
We need to check "count" so we don't overflow the ei->data buffer.
Reported-by: Nico Golde <[email protected]>
Reported-by: Fabian Yamaguchi <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/ozwpan/ozcdev.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/staging/ozwpan/ozcdev.c
+++ b/drivers/staging/ozwpan/ozcdev.c
@@ -152,6 +152,9 @@ static ssize_t oz_cdev_write(struct file
struct oz_app_hdr *app_hdr;
struct oz_serial_ctx *ctx;
+ if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr))
+ return -EINVAL;
+
spin_lock_bh(&g_cdev.lock);
pd = g_cdev.active_pd;
if (pd)
Patches currently in stable-queue which might be from [email protected]
are
queue-3.11/staging-wlags49_h2-buffer-overflow-setting-station-name.patch
queue-3.11/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch
queue-3.11/aacraid-missing-capable-check-in-compat-ioctl.patch
queue-3.11/staging-bcm-info-leak-in-ioctl.patch
queue-3.11/uml-check-length-in-exitcode_proc_write.patch
queue-3.11/staging-sb105x-info-leak-in-mp_get_count.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html