From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nico Golde <nico@ngolde.de>,
Fabian Yamaguchi <fabs@goesec.de>,
Dan Carpenter <dan.carpenter@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.10 46/74] staging: wlags49_h2: buffer overflow setting station name
Date: Fri, 8 Nov 2013 22:51:51 -0800 [thread overview]
Message-ID: <20131109065116.749234723@linuxfoundation.org> (raw)
In-Reply-To: <20131109065113.502217951@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
We need to check the length parameter before doing the memcpy(). I've
actually changed it to strlcpy() as well so that it's NUL terminated.
You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq *ur
ltv_t *pLtv;
bool_t ltvAllocated = FALSE;
ENCSTRCT sEncryption;
+ size_t len;
#ifdef USE_WDS
hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq *ur
break;
case CFG_CNF_OWN_NAME:
memset(lp->StationName, 0, sizeof(lp->StationName));
- memcpy((void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
+ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
+ strlcpy(lp->StationName, &pLtv->u.u8[2], len);
pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);
break;
case CFG_CNF_LOAD_BALANCING:
@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct ne
{
struct wl_private *lp = wl_priv(dev);
unsigned long flags;
+ size_t len;
int ret = 0;
/*------------------------------------------------------------------------*/
@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct ne
wl_lock(lp, &flags);
memset(lp->StationName, 0, sizeof(lp->StationName));
-
- memcpy(lp->StationName, extra, wrqu->data.length);
+ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
+ strlcpy(lp->StationName, extra, len);
/* Commit the adapter parameters */
wl_apply(lp);
next prev parent reply other threads:[~2013-11-09 6:51 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-09 6:51 [PATCH 3.10 00/74] 3.10.19-stable review Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 01/74] usb-storage: add quirk for mandatory READ_CAPACITY_16 Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 02/74] USB: support new huawei devices in option.c Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 03/74] USB: quirks.c: add one device that cannot deal with suspension Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 04/74] USB: quirks: add touchscreen that is dazzeled by remote wakeup Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 05/74] USB: serial: ftdi_sio: add id for Z3X Box device Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 06/74] x86: Update UV3 hub revision ID Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 07/74] cpufreq / intel_pstate: Fix max_perf_pct on resume Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 08/74] bcache: Fixed incorrect order of arguments to bio_alloc_bioset() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 09/74] cgroup: fix to break the while loop in cgroup_attach_task() correctly Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 10/74] mac80211: correctly close cancelled scans Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 11/74] mac80211: drop spoofed packets in ad-hoc mode Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 12/74] mac80211: use sta_info_get_bss() for nl80211 tx and client probing Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 13/74] mac80211: update sta->last_rx on acked tx frames Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 14/74] mac80211: fix crash if bitrate calculation goes wrong Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 15/74] ath9k: fix tx queue scheduling after channel changes Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 16/74] cfg80211: fix warning when using WEXT for IBSS Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 17/74] mwifiex: fix SDIO interrupt lost issue Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 18/74] rtlwifi: rtl8192cu: Fix error in pointer arithmetic Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 19/74] iwlwifi: pcie: add SKUs for 6000, 6005 and 6235 series Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 20/74] jfs: fix error path in ialloc Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 21/74] can: at91-can: fix device to driver data mapping for platform devices Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 22/74] can: flexcan: fix mx28 detection by rearanging OF match table Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 23/74] can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 24/74] SCSI: sd: call blk_pm_runtime_init before add_disk Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 25/74] ecryptfs: Fix memory leakage in keystore.c Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 26/74] raid5: set bio bi_vcnt 0 for discard request Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 27/74] raid5: avoid finding "discard" stripe Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 28/74] libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 29/74] md: avoid deadlock when md_set_badblocks Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 30/74] md: Fix skipping recovery for read-only arrays Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 31/74] target/pscsi: fix return value check Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 32/74] vhost/scsi: Fix incorrect usage of get_user_pages_fast write parameter Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 33/74] clockevents: Sanitize ticks to nsec conversion Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 34/74] parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 35/74] scripts/kallsyms: filter symbols not in kernel address space Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 36/74] ARC: Incorrect mm reference used in vmalloc fault handler Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 37/74] ALSA: hda - Add missing initial vmaster hook at build_controls callback Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 38/74] ALSA: hda - Fix unbalanced runtime PM refcount after S3/S4 Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 39/74] ALSA: hda - Add a fixup for ASUS N76VZ Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 40/74] ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 41/74] ASoC: wm_hubs: Add missing break in hp_supply_event() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 42/74] ASoC: dapm: Fix source list debugfs outputs Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 43/74] staging: ozwpan: prevent overflow in oz_cdev_write() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 44/74] Staging: bcm: info leak in ioctl Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 45/74] Staging: sb105x: info leak in mp_get_count() Greg Kroah-Hartman
2013-11-09 6:51 ` Greg Kroah-Hartman [this message]
2013-11-09 6:51 ` [PATCH 3.10 47/74] uml: check length in exitcode_proc_write() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 48/74] xtensa: dont use alternate signal stack on threads Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 49/74] mm: make generic_access_phys available for modules Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 50/74] uio: provide vm access to UIO_MEM_PHYS maps Greg Kroah-Hartman
2013-11-09 14:22 ` Uwe Kleine-König
2013-11-09 16:10 ` Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 51/74] au1100fb: VM_IO is set by io_remap_pfn_range() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 52/74] au1200fb: io_remap_pfn_range() sets VM_IO Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.10 54/74] lib/scatterlist.c: dont flush_kernel_dcache_page on slab page Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 55/74] aacraid: missing capable() check in compat ioctl Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 56/74] clk: fixup argument order when setting VCO parameters Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 57/74] mm: numa: Do not account for a hinting fault if we raced Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 58/74] mm: Wait for THP migrations to complete during NUMA hinting faults Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 59/74] mm: Prevent parallel splits during THP migration Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 60/74] mm: numa: Sanitize task_numa_fault() callsites Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 61/74] mm: Close races between THP migration and PMD numa clearing Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 62/74] mm: Account for a THP NUMA hinting update as one PTE update Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 63/74] mm/pagewalk.c: fix walk_page_range() access of wrong PTEs Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 64/74] mm/vmalloc.c: fix an overflow bug in alloc_vmap_area() Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 65/74] drm/vmwgfx: Dont put resources with invalid ids on lru list Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 66/74] drm/vmwgfx: Dont kill clients on VT switch Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 67/74] drm: Prevent overwriting from userspace underallocating core ioctl structs Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 68/74] drm: Pad drm_mode_get_connector to 64-bit boundary Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 69/74] drm/radeon/atom: workaround vbios bug in transmitter table on rs780 Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 70/74] seq_file: always update file->f_pos in seq_lseek() Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 71/74] NTB: Add Error Handling in ntb_device_setup Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 72/74] NTB: Correct Number of Scratch Pad Registers Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 73/74] NTB: Correct USD/DSD Identification Greg Kroah-Hartman
2013-11-09 6:52 ` [PATCH 3.10 74/74] NTB: Correct debugfs to work with more than 1 NTB Device Greg Kroah-Hartman
2013-11-09 17:01 ` [PATCH 3.10 00/74] 3.10.19-stable review Guenter Roeck
2013-11-09 17:12 ` Greg Kroah-Hartman
2013-11-10 11:51 ` Satoru Takeuchi
2013-11-10 15:15 ` Greg Kroah-Hartman
2013-11-11 17:56 ` Shuah Khan
2013-11-11 22:51 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131109065116.749234723@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=fabs@goesec.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nico@ngolde.de \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).