From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nico Golde <nico@ngolde.de>,
Fabian Yamaguchi <fabs@goesec.de>,
Dan Carpenter <dan.carpenter@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.4 18/26] staging: ozwpan: prevent overflow in oz_cdev_write()
Date: Fri, 8 Nov 2013 22:51:47 -0800 [thread overview]
Message-ID: <20131109065051.477959159@linuxfoundation.org> (raw)
In-Reply-To: <20131109065050.089866597@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream.
We need to check "count" so we don't overflow the ei->data buffer.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/ozwpan/ozcdev.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/staging/ozwpan/ozcdev.c
+++ b/drivers/staging/ozwpan/ozcdev.c
@@ -153,6 +153,9 @@ ssize_t oz_cdev_write(struct file *filp,
struct oz_app_hdr *app_hdr;
struct oz_serial_ctx *ctx;
+ if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr))
+ return -EINVAL;
+
spin_lock_bh(&g_cdev.lock);
pd = g_cdev.active_pd;
if (pd)
next prev parent reply other threads:[~2013-11-09 6:49 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-09 6:51 [PATCH 3.4 00/26] 3.4.69-stable review Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 01/26] USB: support new huawei devices in option.c Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 02/26] USB: quirks.c: add one device that cannot deal with suspension Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 03/26] USB: quirks: add touchscreen that is dazzeled by remote wakeup Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 04/26] USB: serial: ftdi_sio: add id for Z3X Box device Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 05/26] mac80211: correctly close cancelled scans Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 06/26] mac80211: update sta->last_rx on acked tx frames Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 07/26] rtlwifi: rtl8192cu: Fix error in pointer arithmetic Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 08/26] jfs: fix error path in ialloc Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 09/26] can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 10/26] libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 11/26] md: Fix skipping recovery for read-only arrays Greg Kroah-Hartman
2013-11-17 4:11 ` Ben Hutchings
2013-11-17 7:20 ` NeilBrown
2013-11-09 6:51 ` [PATCH 3.4 12/26] clockevents: Sanitize ticks to nsec conversion Greg Kroah-Hartman
2013-11-09 6:51 ` Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 13/26] parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 14/26] ALSA: hda - Add a fixup for ASUS N76VZ Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 15/26] ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 16/26] ASoC: wm_hubs: Add missing break in hp_supply_event() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 17/26] ASoC: dapm: Fix source list debugfs outputs Greg Kroah-Hartman
2013-11-09 6:51 ` Greg Kroah-Hartman [this message]
2013-11-09 6:51 ` [PATCH 3.4 19/26] Staging: bcm: info leak in ioctl Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 20/26] uml: check length in exitcode_proc_write() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 21/26] xtensa: dont use alternate signal stack on threads Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 22/26] lib/scatterlist.c: dont flush_kernel_dcache_page on slab page Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 23/26] aacraid: missing capable() check in compat ioctl Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 24/26] mm: fix aio performance regression for database caused by THP Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 25/26] drm: Prevent overwriting from userspace underallocating core ioctl structs Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 26/26] drm/radeon/atom: workaround vbios bug in transmitter table on rs780 Greg Kroah-Hartman
2013-11-09 14:24 ` [PATCH 3.4 00/26] 3.4.69-stable review Satoru Takeuchi
2013-11-09 16:19 ` Greg Kroah-Hartman
2013-11-09 16:58 ` Guenter Roeck
2013-11-09 17:12 ` Greg Kroah-Hartman
2013-11-11 17:58 ` Shuah Khan
2013-11-11 22:51 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131109065051.477959159@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=fabs@goesec.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nico@ngolde.de \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.