Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b5e2f339 authored by Dan Carpenter's avatar Dan Carpenter Committed by Linus Torvalds
Browse files

staging: wlags49_h2: buffer overflow setting station name 



We need to check the length parameter before doing the memcpy().  I've
actually changed it to strlcpy() as well so that it's NUL terminated.

You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.

Reported-by: default avatarNico Golde <nico@ngolde.de>
Reported-by: default avatarFabian Yamaguchi <fabs@goesec.de>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent f856567b

drivers/staging/wlags49_h2/wl_priv.c

+6 −3
Original line number Diff line number Diff line
@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq *urq, struct wl_private *lp) 
	ltv_t                   *pLtv;

	bool_t                  ltvAllocated = FALSE;

	ENCSTRCT                sEncryption;

	size_t			len;



#ifdef USE_WDS

	hcf_16                  hcfPort  = HCF_PORT_0;
@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq *urq, struct wl_private *lp) 
					break;

				case CFG_CNF_OWN_NAME:

					memset(lp->StationName, 0, sizeof(lp->StationName));

					memcpy((void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);

					len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));

					strlcpy(lp->StationName, &pLtv->u.u8[2], len);

					pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);

					break;

				case CFG_CNF_LOAD_BALANCING:
@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct net_device *dev, 
{

	struct wl_private *lp = wl_priv(dev);

	unsigned long flags;

	size_t len;

	int         ret = 0;

	/*------------------------------------------------------------------------*/
@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct net_device *dev, 
	wl_lock(lp, &flags);



	memset(lp->StationName, 0, sizeof(lp->StationName));



	memcpy(lp->StationName, extra, wrqu->data.length);

	len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));

	strlcpy(lp->StationName, extra, len);



	/* Commit the adapter parameters */

	wl_apply(lp);