From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Rosenberg Subject: [PATCH v2] irda: prevent heap corruption on invalid nickname Date: Sun, 20 Mar 2011 02:14:30 -0400 Message-ID: <1300601670.1869.5.camel@dan> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, security@kernel.org To: samuel@sortiz.org, davem@davemloft.net Return-path: Received: from mx1.vsecurity.com ([209.67.252.12]:49770 "EHLO mx1.vsecurity.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750983Ab1CTGOg (ORCPT ); Sun, 20 Mar 2011 02:14:36 -0400 Sender: netdev-owner@vger.kernel.org List-ID: Invalid nicknames containing only spaces will result in an underflow in a memcpy size calculation, subsequently destroying the heap and panicking. v2 also catches the case where the provided nickname is longer than the buffer size, which can result in controllable heap corruption. Signed-off-by: Dan Rosenberg Cc: stable@kernel.org --- net/irda/irnet/irnet_ppp.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c index 7c567b8..2bb2beb 100644 --- a/net/irda/irnet/irnet_ppp.c +++ b/net/irda/irnet/irnet_ppp.c @@ -105,6 +105,9 @@ irnet_ctrl_write(irnet_socket * ap, while(isspace(start[length - 1])) length--; + DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5, + -EINVAL, CTRL_ERROR, "Invalid nickname.\n"); + /* Copy the name for later reuse */ memcpy(ap->rname, start + 5, length - 5); ap->rname[length - 5] = '\0';