3.4-stable patches

added patches:
	staging-wlags49_h2-buffer-overflow-setting-station-name.patch

diff --git a/queue-3.4/series b/queue-3.4/series
index a8bc94840788e16aa6f17e02d3c0fae6ecc0ed21..181e1e31a60a7527f32b1fbf08a0f5c55f209b45 100644 (file)
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -9,3 +9,4 @@ md-raid10-fix-bug-when-raid10-recovery-fails-to-recover-a-block.patch
 md-raid10-fix-two-bugs-in-handling-of-known-bad-blocks.patch
 md-raid5-fix-possible-confusion-when-multiple-write-errors-occur.patch
 serial-amba-pl011-use-port-lock-to-guard-control-register-access.patch
+staging-wlags49_h2-buffer-overflow-setting-station-name.patch

diff --git a/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch b/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch
new file mode 100644 (file)
index 0000000..73abcb6
--- /dev/null
+++ b/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch
@@ -0,0 +1,65 @@
+From b5e2f339865fb443107e5b10603e53bbc92dc054 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 23:00:15 +0300
+Subject: staging: wlags49_h2: buffer overflow setting station name
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
+
+We need to check the length parameter before doing the memcpy().  I've
+actually changed it to strlcpy() as well so that it's NUL terminated.
+
+You need CAP_NET_ADMIN to trigger these so it's not the end of the
+world.
+
+[XiuQi: Backported to 3.4: Adjust context]
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/wlags49_h2/wl_priv.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/wlags49_h2/wl_priv.c
++++ b/drivers/staging/wlags49_h2/wl_priv.c
+@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u
+       ltv_t                   *pLtv;
+       bool_t                  ltvAllocated = FALSE;
+       ENCSTRCT                sEncryption;
++      size_t                  len;
+ 
+ #ifdef USE_WDS
+       hcf_16                  hcfPort  = HCF_PORT_0;
+@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u
+                                       break;
+                               case CFG_CNF_OWN_NAME:
+                                       memset( lp->StationName, 0, sizeof( lp->StationName ));
+-                                      memcpy( (void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
++                                      len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
++                                      strlcpy(lp->StationName, &pLtv->u.u8[2], len);
+                                       pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] );
+                                       break;
+                               case CFG_CNF_LOAD_BALANCING:
+@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne
+ {
+         struct wl_private *lp = wl_priv(dev);
+         unsigned long flags;
++      size_t len;
+         int         ret = 0;
+       /*------------------------------------------------------------------------*/
+ 
+@@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct ne
+ 
+         memset( lp->StationName, 0, sizeof( lp->StationName ));
+ 
+-        memcpy( lp->StationName, extra, wrqu->data.length);
++      len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
++      strlcpy(lp->StationName, extra, len);
+ 
+         /* Commit the adapter parameters */
+         wl_apply( lp );