irda: prevent heap corruption on invalid nickname

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Invalid nicknames containing only spaces will result in an underflow in
a memcpy size calculation, subsequently destroying the heap and
panicking.

v2 also catches the case where the provided nickname is longer than the
buffer size, which can result in controllable heap corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Dan Rosenberg and committed by

David S. Miller 15 years ago d50e7e36 e433430a

1 changed file

expand all

net

irda

irnet

irnet_ppp.c

net/irda/irnet/irnet_ppp.c

··· 105 105 while(isspace(start[length - 1])) 106 106 length--; 107 107 108 + DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5, 109 + -EINVAL, CTRL_ERROR, "Invalid nickname.\n"); 110 + 108 111 /* Copy the name for later reuse */ 109 112 memcpy(ap->rname, start + 5, length - 5); 110 113 ap->rname[length - 5] = '\0';