[thirdparty/kernel/stable-queue.git] / releases / 2.6.36.2 / irda-fix-parameter-extraction-stack-overflow.patch

From efc463eb508798da4243625b08c7396462cabf9f Mon Sep 17 00:00:00 2001
From: Samuel Ortiz <samuel@sortiz.org>
Date: Mon, 11 Oct 2010 01:17:56 +0200
Subject: irda: Fix parameter extraction stack overflow

From: Samuel Ortiz <samuel@sortiz.org>

commit efc463eb508798da4243625b08c7396462cabf9f upstream.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/irda/parameters.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/irda/parameters.c
+++ b/net/irda/parameters.c
@@ -298,6 +298,8 @@ static int irda_extract_string(void *sel
 
 	p.pi = pi;     /* In case handler needs to know */
 	p.pl = buf[1]; /* Extract length of value */
+	if (p.pl > 32)
+		p.pl = 32;
 
 	IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__,
 		   p.pi, p.pl);
@@ -318,7 +320,7 @@ static int irda_extract_string(void *sel
 		   (__u8) str[0], (__u8) str[1]);
 
 	/* Null terminate string */
-	str[p.pl+1] = '\0';
+	str[p.pl] = '\0';
 
 	p.pv.c = str; /* Handler will need to take a copy */
Commit	Line	Data
d476d390 GKH	1	From efc463eb508798da4243625b08c7396462cabf9f Mon Sep 17 00:00:00 2001
	2	From: Samuel Ortiz <samuel@sortiz.org>
	3	Date: Mon, 11 Oct 2010 01:17:56 +0200
	4	Subject: irda: Fix parameter extraction stack overflow
	5
	6	From: Samuel Ortiz <samuel@sortiz.org>
	7
	8	commit efc463eb508798da4243625b08c7396462cabf9f upstream.
	9
	10	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	11	Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
	12	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	13
	14	---
	15	net/irda/parameters.c \| 4 +++-
	16	1 file changed, 3 insertions(+), 1 deletion(-)
	17
	18	--- a/net/irda/parameters.c
	19	+++ b/net/irda/parameters.c
	20	@@ -298,6 +298,8 @@ static int irda_extract_string(void *sel
	21
	22	p.pi = pi; /* In case handler needs to know */
	23	p.pl = buf[1]; /* Extract length of value */
	24	+ if (p.pl > 32)
	25	+ p.pl = 32;
	26
	27	IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__,
	28	p.pi, p.pl);
	29	@@ -318,7 +320,7 @@ static int irda_extract_string(void *sel
	30	(__u8) str[0], (__u8) str[1]);
	31
	32	/* Null terminate string */
	33	- str[p.pl+1] = '\0';
	34	+ str[p.pl] = '\0';
	35
	36	p.pv.c = str; /* Handler will need to take a copy */
	37