From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nico Golde <nico@ngolde.de>,
Fabian Yamaguchi <fabs@goesec.de>,
Dan Carpenter <dan.carpenter@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Xie XiuQi <xiexiuqi@huawei.com>
Subject: [PATCH 3.4 12/12] staging: wlags49_h2: buffer overflow setting station name
Date: Sat, 25 Jan 2014 19:05:15 -0800 [thread overview]
Message-ID: <20140126030452.867444188@linuxfoundation.org> (raw)
In-Reply-To: <20140126030451.934281002@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
We need to check the length parameter before doing the memcpy(). I've
actually changed it to strlcpy() as well so that it's NUL terminated.
You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.
[XiuQi: Backported to 3.4: Adjust context]
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/wlags49_h2/wl_priv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u
ltv_t *pLtv;
bool_t ltvAllocated = FALSE;
ENCSTRCT sEncryption;
+ size_t len;
#ifdef USE_WDS
hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u
break;
case CFG_CNF_OWN_NAME:
memset( lp->StationName, 0, sizeof( lp->StationName ));
- memcpy( (void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
+ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
+ strlcpy(lp->StationName, &pLtv->u.u8[2], len);
pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] );
break;
case CFG_CNF_LOAD_BALANCING:
@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne
{
struct wl_private *lp = wl_priv(dev);
unsigned long flags;
+ size_t len;
int ret = 0;
/*------------------------------------------------------------------------*/
@@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct ne
memset( lp->StationName, 0, sizeof( lp->StationName ));
- memcpy( lp->StationName, extra, wrqu->data.length);
+ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
+ strlcpy(lp->StationName, extra, len);
/* Commit the adapter parameters */
wl_apply( lp );
next prev parent reply other threads:[~2014-01-26 3:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-26 3:05 [PATCH 3.4 00/12] 3.4.78-stable review Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 01/12] KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 02/12] staging: comedi: 8255_pci: fix for newer PCI-DIO48H Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 03/12] perf/x86/amd/ibs: Fix waking up from S3 for AMD family 10h Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 04/12] mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate successfully Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 05/12] hwmon: (coretemp) Fix truncated name of alarm attributes Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 06/12] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 07/12] nilfs2: fix segctor bug that causes file system corruption Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 08/12] md/raid10: fix bug when raid10 recovery fails to recover a block Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 09/12] md/raid10: fix two bugs in handling of known-bad-blocks Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 10/12] md/raid5: Fix possible confusion when multiple write errors occur Greg Kroah-Hartman
2014-01-26 3:05 ` [PATCH 3.4 11/12] serial: amba-pl011: use port lock to guard control register access Greg Kroah-Hartman
2014-01-26 3:05 ` Greg Kroah-Hartman [this message]
2014-01-26 5:17 ` [PATCH 3.4 00/12] 3.4.78-stable review Guenter Roeck
2014-01-26 16:08 ` Greg Kroah-Hartman
2014-01-27 11:17 ` Satoru Takeuchi
2014-01-27 13:34 ` Greg Kroah-Hartman
2014-01-27 17:18 ` Shuah Khan
2014-01-27 17:31 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140126030452.867444188@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=fabs@goesec.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nico@ngolde.de \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xiexiuqi@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).