]>
Commit | Line | Data |
---|---|---|
d476d390 GKH |
1 | From efc463eb508798da4243625b08c7396462cabf9f Mon Sep 17 00:00:00 2001 |
2 | From: Samuel Ortiz <samuel@sortiz.org> | |
3 | Date: Mon, 11 Oct 2010 01:17:56 +0200 | |
4 | Subject: irda: Fix parameter extraction stack overflow | |
5 | ||
6 | From: Samuel Ortiz <samuel@sortiz.org> | |
7 | ||
8 | commit efc463eb508798da4243625b08c7396462cabf9f upstream. | |
9 | ||
10 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
11 | Signed-off-by: Samuel Ortiz <samuel@sortiz.org> | |
12 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
13 | ||
14 | --- | |
15 | net/irda/parameters.c | 4 +++- | |
16 | 1 file changed, 3 insertions(+), 1 deletion(-) | |
17 | ||
18 | --- a/net/irda/parameters.c | |
19 | +++ b/net/irda/parameters.c | |
20 | @@ -298,6 +298,8 @@ static int irda_extract_string(void *sel | |
21 | ||
22 | p.pi = pi; /* In case handler needs to know */ | |
23 | p.pl = buf[1]; /* Extract length of value */ | |
24 | + if (p.pl > 32) | |
25 | + p.pl = 32; | |
26 | ||
27 | IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__, | |
28 | p.pi, p.pl); | |
29 | @@ -318,7 +320,7 @@ static int irda_extract_string(void *sel | |
30 | (__u8) str[0], (__u8) str[1]); | |
31 | ||
32 | /* Null terminate string */ | |
33 | - str[p.pl+1] = '\0'; | |
34 | + str[p.pl] = '\0'; | |
35 | ||
36 | p.pv.c = str; /* Handler will need to take a copy */ | |
37 |