staging: wlags49_h2: buffer overflow setting station name

We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2013-10-29 16:00:15 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-10-30 15:24:49 -0400
commit: b5e2f339865fb443107e5b10603e53bbc92dc054 (patch)
tree: 1d6d0b95d4efb6894cfc1d7c13c731e287da4278
parent: f856567b930dfcdbc3323261bf77240ccdde01f5 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/staging/wlags49_h2/wl_priv.c b/drivers/staging/wlags49_h2/wl_priv.c
index c97e0e154d28..7e10dcdc3090 100644
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq *urq, struct wl_private *lp)
        ltv_t                   *pLtv;
        bool_t                  ltvAllocated = FALSE;
        ENCSTRCT                sEncryption;
+        size_t                  len;
 #ifdef USE_WDS
        hcf_16                  hcfPort  = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq *urq, struct wl_private *lp)
                                        break;
                                case CFG_CNF_OWN_NAME:
                                        memset(lp->StationName, 0, sizeof(lp->StationName));
-                                        memcpy((void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
+                                        len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
+                                        strlcpy(lp->StationName, &pLtv->u.u8[2], len);
                                        pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);
                                        break;
                                case CFG_CNF_LOAD_BALANCING:
@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct net_device *dev,
 {
        struct wl_private *lp = wl_priv(dev);
        unsigned long flags;
+        size_t len;
        int         ret = 0;
        /*------------------------------------------------------------------------*/
@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct net_device *dev,
        wl_lock(lp, &flags);
        memset(lp->StationName, 0, sizeof(lp->StationName));
+        len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
-        memcpy(lp->StationName, extra, wrqu->data.length);
+        strlcpy(lp->StationName, extra, len);
        /* Commit the adapter parameters */
        wl_apply(lp);
author	Dan Carpenter <dan.carpenter@oracle.com>	2013-10-29 16:00:15 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-10-30 15:24:49 -0400
commit	b5e2f339865fb443107e5b10603e53bbc92dc054 (patch)
tree	1d6d0b95d4efb6894cfc1d7c13c731e287da4278
parent	f856567b930dfcdbc3323261bf77240ccdde01f5 (diff)

diff --git a/drivers/staging/wlags49_h2/wl_priv.c b/drivers/staging/wlags49_h2/wl_priv.c index c97e0e154d28..7e10dcdc3090 100644 --- a/drivers/staging/wlags49_h2/wl_priv.c +++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq urq, struct wl_private lp)
570	ltv_t *pLtv;	570	ltv_t *pLtv;
571	bool_t ltvAllocated = FALSE;	571	bool_t ltvAllocated = FALSE;
572	ENCSTRCT sEncryption;	572	ENCSTRCT sEncryption;
		573	size_t len;
573		574
574	#ifdef USE_WDS	575	#ifdef USE_WDS
575	hcf_16 hcfPort = HCF_PORT_0;	576	hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq urq, struct wl_private lp)
686	break;	687	break;
687	case CFG_CNF_OWN_NAME:	688	case CFG_CNF_OWN_NAME:
688	memset(lp->StationName, 0, sizeof(lp->StationName));	689	memset(lp->StationName, 0, sizeof(lp->StationName));
689	memcpy((void )lp->StationName, (void )&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);	690	len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
		691	strlcpy(lp->StationName, &pLtv->u.u8[2], len);
690	pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);	692	pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);
691	break;	693	break;
692	case CFG_CNF_LOAD_BALANCING:	694	case CFG_CNF_LOAD_BALANCING:
@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct net_device *dev,
1783	{	1785	{
1784	struct wl_private *lp = wl_priv(dev);	1786	struct wl_private *lp = wl_priv(dev);
1785	unsigned long flags;	1787	unsigned long flags;
		1788	size_t len;
1786	int ret = 0;	1789	int ret = 0;
1787	/------------------------------------------------------------------------/	1790	/------------------------------------------------------------------------/
1788		1791
@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct net_device *dev,
1793	wl_lock(lp, &flags);	1796	wl_lock(lp, &flags);
1794		1797
1795	memset(lp->StationName, 0, sizeof(lp->StationName));	1798	memset(lp->StationName, 0, sizeof(lp->StationName));
1796		1799	len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
1797	memcpy(lp->StationName, extra, wrqu->data.length);	1800	strlcpy(lp->StationName, extra, len);
1798		1801
1799	/* Commit the adapter parameters */	1802	/* Commit the adapter parameters */
1800	wl_apply(lp);	1803	wl_apply(lp);