projects / linux-drm-fsl-dcu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 922b83b)
staging: vt6655: buffer overflow in ioctl
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 19 Sep 2014 10:43:11 +0000 (13:43 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 19 Sep 2014 22:32:20 +0000 (15:32 -0700)
->u.generic_elem.len is a user controlled number between 0-255.  We
should limit it to avoid memory corruption.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/vt6655/hostap.c patch | blob | history

diff --git a/drivers/staging/vt6655/hostap.c b/drivers/staging/vt6655/hostap.c
index f105c2ac091b7eaf80a99fa75cf26fee0c5543f3..164136b07a68c8243066e280dbb1293d0e1c819d 100644 (file)
--- a/drivers/staging/vt6655/hostap.c
+++ b/drivers/staging/vt6655/hostap.c
@@ -350,6 +350,9 @@ static int hostap_set_generic_element(PSDevice pDevice,
 {
        PSMgmtObject    pMgmt = pDevice->pMgmt;
 
+       if (param->u.generic_elem.len > sizeof(pMgmt->abyWPAIE))
+               return -EINVAL;
+
        memcpy(pMgmt->abyWPAIE,
               param->u.generic_elem.data,
               param->u.generic_elem.len
Freescale DCU DRM driver