From ad0c6e367ee0d08c4caa19ad0dbd3d752bd39de0 Mon Sep 17 00:00:00 2001
From: Bill Pemberton <wfp5p@virginia.edu>
Date: Mon, 24 Sep 2012 17:02:08 -0400
Subject: [PATCH] staging: dgrp: fix potential call to strncpy with a negative
 number

In dgrp_receive() there is:

   desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN :
   	     	      	    plen - 12;
   strncpy(nd->nd_ps_desc, b + 12, desclen);

However, it's possible for plen to be <= 12 here so we'd be passing a
negative number into the strncpy().  Fix this to not make the strncpy
call and report an error if desclen is <= 0

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/dgrp/dgrp_net_ops.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/dgrp/dgrp_net_ops.c b/drivers/staging/dgrp/dgrp_net_ops.c
index d9d6b6709e4e..ab839ea3b44c 100644
--- a/drivers/staging/dgrp/dgrp_net_ops.c
+++ b/drivers/staging/dgrp/dgrp_net_ops.c
@@ -3156,6 +3156,12 @@ static void dgrp_receive(struct nd_struct *nd)
 						nd->nd_hw_id = b[6];
 						desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN :
 							plen - 12;
+
+						if (desclen <= 0) {
+							error = "Response Packet desclen error";
+							goto prot_error;
+						}
+
 						strncpy(nd->nd_ps_desc, b + 12, desclen);
 						nd->nd_ps_desc[desclen] = 0;
 					}
-- 
GitLab