staging: wlags49_h2: buffer overflow setting station name

commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream. We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2013-10-29 16:00:15 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-11-12 22:05:33 -0500
commit: e668dd8e47c2bc39c7bc31529dbe21c6169290bf (patch)
tree: 863ae3a019bd2e6723868030bfc57ade3c2d0fde
parent: 2958a1199ee79b5ad4cb80a4bf8da95ac602d796 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/staging/wlags49_h2/wl_priv.c b/drivers/staging/wlags49_h2/wl_priv.c
index c97e0e154d28..7e10dcdc3090 100644
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq *urq, struct wl_private *lp)
        ltv_t                   *pLtv;
        bool_t                  ltvAllocated = FALSE;
        ENCSTRCT                sEncryption;
+        size_t                  len;
 #ifdef USE_WDS
        hcf_16                  hcfPort  = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq *urq, struct wl_private *lp)
                                        break;
                                case CFG_CNF_OWN_NAME:
                                        memset(lp->StationName, 0, sizeof(lp->StationName));
-                                        memcpy((void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
+                                        len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
+                                        strlcpy(lp->StationName, &pLtv->u.u8[2], len);
                                        pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);
                                        break;
                                case CFG_CNF_LOAD_BALANCING:
@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct net_device *dev,
 {
        struct wl_private *lp = wl_priv(dev);
        unsigned long flags;
+        size_t len;
        int         ret = 0;
        /*------------------------------------------------------------------------*/
@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct net_device *dev,
        wl_lock(lp, &flags);
        memset(lp->StationName, 0, sizeof(lp->StationName));
+        len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
-        memcpy(lp->StationName, extra, wrqu->data.length);
+        strlcpy(lp->StationName, extra, len);
        /* Commit the adapter parameters */
        wl_apply(lp);
author	Dan Carpenter <dan.carpenter@oracle.com>	2013-10-29 16:00:15 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-11-12 22:05:33 -0500
commit	e668dd8e47c2bc39c7bc31529dbe21c6169290bf (patch)
tree	863ae3a019bd2e6723868030bfc57ade3c2d0fde
parent	2958a1199ee79b5ad4cb80a4bf8da95ac602d796 (diff)

diff --git a/drivers/staging/wlags49_h2/wl_priv.c b/drivers/staging/wlags49_h2/wl_priv.c index c97e0e154d28..7e10dcdc3090 100644 --- a/drivers/staging/wlags49_h2/wl_priv.c +++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq urq, struct wl_private lp)
570	ltv_t *pLtv;	570	ltv_t *pLtv;
571	bool_t ltvAllocated = FALSE;	571	bool_t ltvAllocated = FALSE;
572	ENCSTRCT sEncryption;	572	ENCSTRCT sEncryption;
		573	size_t len;
573		574
574	#ifdef USE_WDS	575	#ifdef USE_WDS
575	hcf_16 hcfPort = HCF_PORT_0;	576	hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq urq, struct wl_private lp)
686	break;	687	break;
687	case CFG_CNF_OWN_NAME:	688	case CFG_CNF_OWN_NAME:
688	memset(lp->StationName, 0, sizeof(lp->StationName));	689	memset(lp->StationName, 0, sizeof(lp->StationName));
689	memcpy((void )lp->StationName, (void )&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);	690	len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
		691	strlcpy(lp->StationName, &pLtv->u.u8[2], len);
690	pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);	692	pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);
691	break;	693	break;
692	case CFG_CNF_LOAD_BALANCING:	694	case CFG_CNF_LOAD_BALANCING:
@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct net_device *dev,
1783	{	1785	{
1784	struct wl_private *lp = wl_priv(dev);	1786	struct wl_private *lp = wl_priv(dev);
1785	unsigned long flags;	1787	unsigned long flags;
		1788	size_t len;
1786	int ret = 0;	1789	int ret = 0;
1787	/------------------------------------------------------------------------/	1790	/------------------------------------------------------------------------/
1788		1791
@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct net_device *dev,
1793	wl_lock(lp, &flags);	1796	wl_lock(lp, &flags);
1794		1797
1795	memset(lp->StationName, 0, sizeof(lp->StationName));	1798	memset(lp->StationName, 0, sizeof(lp->StationName));
1796		1799	len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
1797	memcpy(lp->StationName, extra, wrqu->data.length);	1800	strlcpy(lp->StationName, extra, len);
1798		1801
1799	/* Commit the adapter parameters */	1802	/* Commit the adapter parameters */
1800	wl_apply(lp);	1803	wl_apply(lp);