From a10438cf1b4c112173faad45b4187171c7898bd3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 Jan 2014 10:17:43 -0800 Subject: [PATCH] 3.4-stable patches added patches: staging-wlags49_h2-buffer-overflow-setting-station-name.patch --- queue-3.4/series | 1 + ...buffer-overflow-setting-station-name.patch | 65 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch diff --git a/queue-3.4/series b/queue-3.4/series index a8bc9484078..181e1e31a60 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -9,3 +9,4 @@ md-raid10-fix-bug-when-raid10-recovery-fails-to-recover-a-block.patch md-raid10-fix-two-bugs-in-handling-of-known-bad-blocks.patch md-raid5-fix-possible-confusion-when-multiple-write-errors-occur.patch serial-amba-pl011-use-port-lock-to-guard-control-register-access.patch +staging-wlags49_h2-buffer-overflow-setting-station-name.patch diff --git a/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch b/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch new file mode 100644 index 00000000000..73abcb63044 --- /dev/null +++ b/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch @@ -0,0 +1,65 @@ +From b5e2f339865fb443107e5b10603e53bbc92dc054 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 23:00:15 +0300 +Subject: staging: wlags49_h2: buffer overflow setting station name + +From: Dan Carpenter + +commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream. + +We need to check the length parameter before doing the memcpy(). I've +actually changed it to strlcpy() as well so that it's NUL terminated. + +You need CAP_NET_ADMIN to trigger these so it's not the end of the +world. + +[XiuQi: Backported to 3.4: Adjust context] + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Xie XiuQi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/wlags49_h2/wl_priv.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/staging/wlags49_h2/wl_priv.c ++++ b/drivers/staging/wlags49_h2/wl_priv.c +@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u + ltv_t *pLtv; + bool_t ltvAllocated = FALSE; + ENCSTRCT sEncryption; ++ size_t len; + + #ifdef USE_WDS + hcf_16 hcfPort = HCF_PORT_0; +@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u + break; + case CFG_CNF_OWN_NAME: + memset( lp->StationName, 0, sizeof( lp->StationName )); +- memcpy( (void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]); ++ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName)); ++ strlcpy(lp->StationName, &pLtv->u.u8[2], len); + pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] ); + break; + case CFG_CNF_LOAD_BALANCING: +@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne + { + struct wl_private *lp = wl_priv(dev); + unsigned long flags; ++ size_t len; + int ret = 0; + /*------------------------------------------------------------------------*/ + +@@ -1811,7 +1814,8 @@ int wvlan_set_station_nickname(struct ne + + memset( lp->StationName, 0, sizeof( lp->StationName )); + +- memcpy( lp->StationName, extra, wrqu->data.length); ++ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName)); ++ strlcpy(lp->StationName, extra, len); + + /* Commit the adapter parameters */ + wl_apply( lp ); -- 2.47.2