aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/wl12xx
diff options
context:
space:
mode:
authorLuciano Coelho <coelho@ti.com>2011-04-01 12:42:02 -0400
committerJohn W. Linville <linville@tuxdriver.com>2011-04-04 15:22:12 -0400
commit09b661b33268698d3b453dceb78cda129ad899b4 (patch)
treee5e1760d61f665bfb3216ef6de7c3a9c6b26d80c /drivers/net/wireless/wl12xx
parent023535732f4db01af4921f20f058bc4561d9add7 (diff)
wl12xx: fix potential buffer overflow in testmode nvs push
We were allocating the size of the NVS file struct and not checking whether the length of the buffer passed was correct before copying it into the allocated memory. This is a security hole because buffer overflows can occur if the userspace passes a bigger file than what is expected. With this patch, we check if the size of the data passed from userspace matches the size required. This bug was introduced in 2.6.36. Cc: stable@kernel.org Reported-by: Ido Yariv <ido@wizery.com> Signed-off-by: Luciano Coelho <coelho@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/wl12xx')
-rw-r--r--drivers/net/wireless/wl12xx/testmode.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/wireless/wl12xx/testmode.c b/drivers/net/wireless/wl12xx/testmode.c
index e64403b6896d..6ec06a4a4c6d 100644
--- a/drivers/net/wireless/wl12xx/testmode.c
+++ b/drivers/net/wireless/wl12xx/testmode.c
@@ -204,7 +204,10 @@ static int wl1271_tm_cmd_nvs_push(struct wl1271 *wl, struct nlattr *tb[])
204 204
205 kfree(wl->nvs); 205 kfree(wl->nvs);
206 206
207 wl->nvs = kzalloc(sizeof(struct wl1271_nvs_file), GFP_KERNEL); 207 if (len != sizeof(struct wl1271_nvs_file))
208 return -EINVAL;
209
210 wl->nvs = kzalloc(len, GFP_KERNEL);
208 if (!wl->nvs) { 211 if (!wl->nvs) {
209 wl1271_error("could not allocate memory for the nvs file"); 212 wl1271_error("could not allocate memory for the nvs file");
210 ret = -ENOMEM; 213 ret = -ENOMEM;