--- /dev/null
+From 339db11b219f36cf7da61b390992d95bb6b7ba2e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Fri, 10 Sep 2010 01:56:16 +0000
+Subject: net/llc: make opt unsigned in llc_ui_setsockopt()
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit 339db11b219f36cf7da61b390992d95bb6b7ba2e upstream.
+
+The members of struct llc_sock are unsigned so if we pass a negative
+value for "opt" it can cause a sign bug. Also it can cause an integer
+overflow when we multiply "opt * HZ".
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/llc/af_llc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -977,7 +977,8 @@ static int llc_ui_setsockopt(struct sock
+ {
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc = llc_sk(sk);
+- int rc = -EINVAL, opt;
++ unsigned int opt;
++ int rc = -EINVAL;
+
+ lock_sock(sk);
+ if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
--- /dev/null
+From dd173abfead903c7df54e977535973f3312cd307 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Mon, 6 Sep 2010 14:32:30 +0200
+Subject: Staging: vt6655: fix buffer overflow
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit dd173abfead903c7df54e977535973f3312cd307 upstream.
+
+"param->u.wpa_associate.wpa_ie_len" comes from the user. We should
+check it so that the copy_from_user() doesn't overflow the buffer.
+
+Also further down in the function, we assume that if
+"param->u.wpa_associate.wpa_ie_len" is set then "abyWPAIE[0]" is
+initialized. To make that work, I changed the test here to say that if
+"wpa_ie_len" is set then "wpa_ie" has to be a valid pointer or we return
+-EINVAL.
+
+Oddly, we only use the first element of the abyWPAIE[] array. So I
+suspect there may be some other issues in this function.
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/staging/vt6655/wpactl.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/vt6655/wpactl.c
++++ b/drivers/staging/vt6655/wpactl.c
+@@ -767,9 +767,14 @@ static int wpa_set_associate(PSDevice pD
+ DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "wpa_ie_len = %d\n", param->u.wpa_associate.wpa_ie_len);
+
+
+- if (param->u.wpa_associate.wpa_ie &&
+- copy_from_user(&abyWPAIE[0], param->u.wpa_associate.wpa_ie, param->u.wpa_associate.wpa_ie_len))
+- return -EINVAL;
++ if (param->u.wpa_associate.wpa_ie_len) {
++ if (!param->u.wpa_associate.wpa_ie)
++ return -EINVAL;
++ if (param->u.wpa_associate.wpa_ie_len > sizeof(abyWPAIE))
++ return -EINVAL;
++ if (copy_from_user(&abyWPAIE[0], param->u.wpa_associate.wpa_ie, param->u.wpa_associate.wpa_ie_len))
++ return -EFAULT;
++ }
+
+ if (param->u.wpa_associate.mode == 1)
+ pMgmt->eConfigMode = WMAC_CONFIG_IBSS_STA;
projects / thirdparty / kernel / stable-queue.git / commitdiff
