From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nico Golde <nico@ngolde.de>,
Fabian Yamaguchi <fabs@goesec.de>,
Dan Carpenter <dan.carpenter@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Ben Hutchings <ben@decadent.org.uk>,
Yijing Wang <wangyijing@huawei.com>
Subject: [PATCH 3.4 34/44] staging: wlags49_h2: buffer overflow setting station name
Date: Mon, 7 Jul 2014 17:07:24 -0700 [thread overview]
Message-ID: <20140707235859.660308049@linuxfoundation.org> (raw)
In-Reply-To: <20140707235858.652771077@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
We need to check the length parameter before doing the memcpy(). I've
actually changed it to strlcpy() as well so that it's NUL terminated.
You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Yijing Wang <wangyijing@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u
ltv_t *pLtv;
bool_t ltvAllocated = FALSE;
ENCSTRCT sEncryption;
+ size_t len;
#ifdef USE_WDS
hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u
break;
case CFG_CNF_OWN_NAME:
memset( lp->StationName, 0, sizeof( lp->StationName ));
- memcpy( (void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
+ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
+ strlcpy(lp->StationName, &pLtv->u.u8[2], len);
pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] );
break;
case CFG_CNF_LOAD_BALANCING:
@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne
{
struct wl_private *lp = wl_priv(dev);
unsigned long flags;
+ size_t len;
int ret = 0;
/*------------------------------------------------------------------------*/
@@ -1810,8 +1813,8 @@ int wvlan_set_station_nickname(struct ne
wl_lock(lp, &flags);
memset( lp->StationName, 0, sizeof( lp->StationName ));
-
- memcpy( lp->StationName, extra, wrqu->data.length);
+ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
+ strlcpy(lp->StationName, extra, len);
/* Commit the adapter parameters */
wl_apply( lp );
next prev parent reply other threads:[~2014-07-08 0:09 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-08 0:06 [PATCH 3.4 00/44] 3.4.98-stable review Greg Kroah-Hartman
2014-07-08 0:06 ` [PATCH 3.4 01/44] ibmvscsi: Abort init sequence during error recovery Greg Kroah-Hartman
2014-07-08 0:06 ` [PATCH 3.4 02/44] xhci: correct burst count field for isoc transfers on 1.0 xhci hosts Greg Kroah-Hartman
2014-07-08 0:06 ` [PATCH 3.4 03/44] xhci: Fix runtime suspended xhci from blocking system suspend Greg Kroah-Hartman
2014-07-08 0:06 ` [PATCH 3.4 05/44] USB: option: add device ID for SpeedUp SU9800 usb 3g modem Greg Kroah-Hartman
2014-07-08 0:06 ` [PATCH 3.4 07/44] USB: ftdi_sio: fix null deref at port probe Greg Kroah-Hartman
2014-07-08 0:06 ` [PATCH 3.4 09/44] rt2x00: disable TKIP on USB Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 10/44] rt2x00: fix rfkill regression on rt2500pci Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 11/44] mtd: pxa3xx_nand: make the driver work on big-endian systems Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 12/44] drm/radeon: only apply hdmi bpc pll flags when encoder mode is hdmi Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 13/44] drm/radeon: fix typo in radeon_connector_is_dp12_capable() Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 14/44] drm/radeon/atom: fix dithering on certain panels Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 15/44] drm/vmwgfx: Fix incorrect write to read-only register v2: Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 16/44] Bluetooth: Fix SSP acceptor just-works confirmation without MITM Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 17/44] Bluetooth: Remove unused hci_le_ltk_reply() Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 18/44] mac80211: dont check netdev state for debugfs read/write Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 19/44] ARM: OMAP2+: Fix parser-bug in platform muxing code Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 21/44] CIFS: fix mount failure with broken pathnames when smb3 mount with mapchars option Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 22/44] KVM: x86: Increase the number of fixed MTRR regs to 10 Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 23/44] KVM: x86: preserve the high 32-bits of the PAT register Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 24/44] nfsd: fix rare symlink decoding bug Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 25/44] tools: ffs-test: fix header values endianess Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 26/44] md: flush writes before starting a recovery Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 27/44] sym53c8xx_2: Set DID_REQUEUE return code when aborting squeue Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 28/44] acpi/video_detect: blacklist samsung x360 Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 29/44] ACPI / video: Add "Asus UL30VT" to ACPI video detect blacklist Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 30/44] ACPI / video: Add "Asus UL30A" " Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 31/44] ACPI video: ignore BIOS initial backlight value for HP 1000 Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 32/44] staging: comedi: das08: Correct AI encoding for das08jr-16-ao Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 33/44] staging: comedi: fix a race between do_cmd_ioctl() and read/write Greg Kroah-Hartman
2014-07-08 0:07 ` Greg Kroah-Hartman [this message]
2014-07-08 0:07 ` [PATCH 3.4 35/44] Staging: bcm: Create and initialize new device id in InterfaceInit Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 36/44] Staging: bcm: Add two products and remove an existing product Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 37/44] powerpc: Fix emulation of illegal instructions on PowerNV platform Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 38/44] powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 39/44] powerpc: Dont Oops when accessing /proc/powerpc/lparcfg without hypervisor Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 40/44] powerpc: Restore registers on error exit from csum_partial_copy_generic() Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 41/44] powerpc/pseries/lparcfg: Fix possible overflow are more than 1026 Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 42/44] powerpc/pseries: Duplicate dtl entries sometimes sent to userspace Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 43/44] ACPI video: ignore BIOS backlight value for HP dm4 Greg Kroah-Hartman
2014-07-08 0:07 ` [PATCH 3.4 44/44] powerpc/sysfs: Disable writing to PURR in guest mode Greg Kroah-Hartman
2014-07-08 13:14 ` [PATCH 3.4 00/44] 3.4.98-stable review Guenter Roeck
2014-07-08 22:14 ` Greg Kroah-Hartman
2014-07-08 19:30 ` Shuah Khan
2014-07-08 22:14 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140707235859.660308049@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben@decadent.org.uk \
--cc=dan.carpenter@oracle.com \
--cc=fabs@goesec.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nico@ngolde.de \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=wangyijing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox