commit 09b661b33268698d3b453dceb78cda129ad899b4 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

wl12xx: fix potential buffer overflow in testmode nvs push

We were allocating the size of the NVS file struct and not checking
whether the length of the buffer passed was correct before copying it
into the allocated memory. This is a security hole because buffer
overflows can occur if the userspace passes a bigger file than what is
expected.

With this patch, we check if the size of the data passed from
userspace matches the size required.

This bug was introduced in 2.6.36.

Cc: stable@kernel.org
Reported-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by Luciano Coelho and committed by John W. Linville 15 years ago 09b661b3 02353573

+4 -1

1 changed file

expand all

unified split

drivers

net

wireless

wl12xx

testmode.c

+4 -1

drivers/net/wireless/wl12xx/testmode.c

··· 204 205 kfree(wl->nvs); 206 207 - wl->nvs = kzalloc(sizeof(struct wl1271_nvs_file), GFP_KERNEL); 208 if (!wl->nvs) { 209 wl1271_error("could not allocate memory for the nvs file"); 210 ret = -ENOMEM;

··· 204 205 kfree(wl->nvs); 206 207 + if (len != sizeof(struct wl1271_nvs_file)) 208 + return -EINVAL; 209 + 210 + wl->nvs = kzalloc(len, GFP_KERNEL); 211 if (!wl->nvs) { 212 wl1271_error("could not allocate memory for the nvs file"); 213 ret = -ENOMEM;