Hi Dan Carpenter or Greg,
b5e2f339865fb443107e5b10603e53bbc92dc054
staging: wlags49_h2: buffer overflow setting station name
This patch looks applicable to stable-3.4, that fixed CVE-2013-4514.
It can't be applied directly due to blank space & blank line problems,
introduced by patch ceb121ae (staging: wlags49_h2: wl_priv: fixes spacing
around parentheses). I've adjusted the context manually.
Now it was built successful for me. What do you think?
Thanks,
Xie XiuQi
--------------------------------------
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Thu, 23 Jan 2014 14:40:52 +0800
Subject: [PATCH] staging: wlags49_h2: buffer overflow setting station name
commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
We need to check the length parameter before doing the memcpy(). I've
actually changed it to strlcpy() as well so that it's NUL terminated.
You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.
Reported-by: Nico Golde <nico@xxxxxxxxx>
Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Cc: stable@xxxxxxxxxx
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
[XiuQi: Backported to 3.4: Adjust context]
Signed-off-by: Xie XiuQi <xiexiuqi@xxxxxxxxxx>
---
drivers/staging/wlags49_h2/wl_priv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/wlags49_h2/wl_priv.c b/drivers/staging/wlags49_h2/wl_priv.c
index f30e5ee..e68c51e 100644
--- a/drivers/staging/wlags49_h2/wl_priv.c
+++ b/drivers/staging/wlags49_h2/wl_priv.c
@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *urq, struct wl_private *lp )
ltv_t *pLtv;
bool_t ltvAllocated = FALSE;
ENCSTRCT sEncryption;
+ size_t len;
#ifdef USE_WDS
hcf_16 hcfPort = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *urq, struct wl_private *lp )
break;
case CFG_CNF_OWN_NAME:
memset( lp->StationName, 0, sizeof( lp->StationName ));
- memcpy( (void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
+ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
+ strlcpy(lp->StationName, &pLtv->u.u8[2], len);
pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] );
break;
case CFG_CNF_LOAD_BALANCING:
@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct net_device *dev,
{
struct wl_private *lp = wl_priv(dev);
unsigned long flags;
+ size_t len;
int ret = 0;
/*------------------------------------------------------------------------*/
@@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct net_device *dev,
memset( lp->StationName, 0, sizeof( lp->StationName ));
- memcpy( lp->StationName, extra, wrqu->data.length);
+ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
+ strlcpy(lp->StationName, extra, len);
/* Commit the adapter parameters */
wl_apply( lp );
--
1.8.2.2
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html