From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nico Golde <nico@ngolde.de>,
Fabian Yamaguchi <fabs@goesec.de>,
Dan Carpenter <dan.carpenter@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Xie XiuQi <xiexiuqi@huawei.com>
Subject: [PATCH 3.4 12/12] staging: wlags49_h2: buffer overflow setting station name
Date: Sat, 25 Jan 2014 19:05:15 -0800 [thread overview]
Message-ID: <20140126030452.867444188@linuxfoundation.org> (raw)
In-Reply-To: <20140126030451.934281002@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
We need to check the length parameter before doing the memcpy(). I've
actually changed it to strlcpy() as well so that it's NUL terminated.
You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.
[XiuQi: Backported to 3.4: Adjust context]
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/wlags49_h2/wl_priv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u
ltv_t *pLtv;
bool_t ltvAllocated = FALSE;
ENCSTRCT sEncryption;
+ size_t len;
#ifdef USE_WDS
hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u
break;
case CFG_CNF_OWN_NAME:
memset( lp->StationName, 0, sizeof( lp->StationName ));
- memcpy( (void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
+ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
+ strlcpy(lp->StationName, &pLtv->u.u8[2], len);
pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] );
break;
case CFG_CNF_LOAD_BALANCING:
@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne
{
struct wl_private *lp = wl_priv(dev);
unsigned long flags;
+ size_t len;
int ret = 0;
/*------------------------------------------------------------------------*/
@@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct ne
memset( lp->StationName, 0, sizeof( lp->StationName ));
- memcpy( lp->StationName, extra, wrqu->data.length);
+ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
+ strlcpy(lp->StationName, extra, len);
/* Commit the adapter parameters */
wl_apply( lp );
next prev parent reply other threads:[~2014-01-26 3:04 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-26 3:05 [PATCH 3.4 00/12] 3.4.78-stable review Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 01/12] KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 02/12] staging: comedi: 8255_pci: fix for newer PCI-DIO48H Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 03/12] perf/x86/amd/ibs: Fix waking up from S3 for AMD family 10h Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 04/12] mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate successfully Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 05/12] hwmon: (coretemp) Fix truncated name of alarm attributes Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 06/12] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 07/12] nilfs2: fix segctor bug that causes file system corruption Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 08/12] md/raid10: fix bug when raid10 recovery fails to recover a block Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 09/12] md/raid10: fix two bugs in handling of known-bad-blocks Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 10/12] md/raid5: Fix possible confusion when multiple write errors occur Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 11/12] serial: amba-pl011: use port lock to guard control register access Greg Kroah-Hartman
2014-01-26 3:05 ` Greg Kroah-Hartman [this message]
2014-01-26 5:17 ` [PATCH 3.4 00/12] 3.4.78-stable review Guenter Roeck
2014-01-26 16:08 ` Greg Kroah-Hartman
2014-01-27 11:17 ` Satoru Takeuchi
2014-01-27 13:34 ` Greg Kroah-Hartman
2014-01-27 17:18 ` Shuah Khan
2014-01-27 17:31 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140126030452.867444188@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=fabs@goesec.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nico@ngolde.de \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xiexiuqi@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.