Commit 09b661b3 authored by Luciano Coelho's avatar Luciano Coelho Committed by John W. Linville

wl12xx: fix potential buffer overflow in testmode nvs push

We were allocating the size of the NVS file struct and not checking
whether the length of the buffer passed was correct before copying it
into the allocated memory.  This is a security hole because buffer
overflows can occur if the userspace passes a bigger file than what is
expected.

With this patch, we check if the size of the data passed from
userspace matches the size required.

This bug was introduced in 2.6.36.

Cc: stable@kernel.org
Reported-by: default avatarIdo Yariv <ido@wizery.com>
Signed-off-by: default avatarLuciano Coelho <coelho@ti.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 02353573
...@@ -204,7 +204,10 @@ static int wl1271_tm_cmd_nvs_push(struct wl1271 *wl, struct nlattr *tb[]) ...@@ -204,7 +204,10 @@ static int wl1271_tm_cmd_nvs_push(struct wl1271 *wl, struct nlattr *tb[])
kfree(wl->nvs); kfree(wl->nvs);
wl->nvs = kzalloc(sizeof(struct wl1271_nvs_file), GFP_KERNEL); if (len != sizeof(struct wl1271_nvs_file))
return -EINVAL;
wl->nvs = kzalloc(len, GFP_KERNEL);
if (!wl->nvs) { if (!wl->nvs) {
wl1271_error("could not allocate memory for the nvs file"); wl1271_error("could not allocate memory for the nvs file");
ret = -ENOMEM; ret = -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment