From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg Kroah-Hartman Subject: Re: [PATCH] ncpfs: memory corruption in ncp_read_kernel() Date: Mon, 19 Mar 2018 14:56:13 +0100 Message-ID: <20180319135612.GA2465@kroah.com> References: <20180319110745.GA12001@mwanda> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: devel@driverdev.osuosl.org, security@kernel.org, netdev@vger.kernel.org, Philippe Ombredanne , Thomas Gleixner , Petr Vandrovec , "David S. Miller" To: Dan Carpenter Return-path: Content-Disposition: inline In-Reply-To: <20180319110745.GA12001@mwanda> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: driverdev-devel-bounces@linuxdriverproject.org Sender: "devel" List-Id: netdev.vger.kernel.org On Mon, Mar 19, 2018 at 02:07:45PM +0300, Dan Carpenter wrote: > If the server is malicious then *bytes_read could be larger than the > size of the "target" buffer. It would lead to memory corruption when we > do the memcpy(). > > Reported-by: Dr Silvio Cesare of InfoSect > Signed-off-by: Dan Carpenter > > diff --git a/drivers/staging/ncpfs/ncplib_kernel.c b/drivers/staging/ncpfs/ncplib_kernel.c > index 804adfebba2f..3e047eb4cc7c 100644 > --- a/drivers/staging/ncpfs/ncplib_kernel.c > +++ b/drivers/staging/ncpfs/ncplib_kernel.c Ugh, I have like 2 more months before I delete this code :) Anyway, nice find, and fix, I'll go queue it up now, thanks. greg k-h