In dgrp_receive() there is: desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN : plen - 12; strncpy(nd->nd_ps_desc, b + 12, desclen); However, it's possible for plen to be <= 12 here so we'd be passing a negative number into the strncpy(). Fix this to not make the strncpy call and report an error if desclen is <= 0 Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Bill Pemberton <wfp5p@xxxxxxxxxxxx> --- drivers/staging/dgrp/dgrp_net_ops.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/staging/dgrp/dgrp_net_ops.c b/drivers/staging/dgrp/dgrp_net_ops.c index d9d6b67..ab839ea 100644 --- a/drivers/staging/dgrp/dgrp_net_ops.c +++ b/drivers/staging/dgrp/dgrp_net_ops.c @@ -3156,6 +3156,12 @@ check_query: nd->nd_hw_id = b[6]; desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN : plen - 12; + + if (desclen <= 0) { + error = "Response Packet desclen error"; + goto prot_error; + } + strncpy(nd->nd_ps_desc, b + 12, desclen); nd->nd_ps_desc[desclen] = 0; } -- 1.7.12 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel