wl12xx: fix potential buffer overflow in testmode nvs push

We were allocating the size of the NVS file struct and not checking whether the length of the buffer passed was correct before copying it into the allocated memory. This is a security hole because buffer overflows can occur if the userspace passes a bigger file than what is expected. With this patch, we check if the size of the data passed from userspace matches the size required. This bug was introduced in 2.6.36. Cc: stable@kernel.org Reported-by: N Ido Yariv <ido@wizery.com> Signed-off-by: N Luciano Coelho <coelho@ti.com> Signed-off-by: N John W. Linville <linville@tuxdriver.com>

wl12xx: fix potential buffer overflow in testmode nvs push
We were allocating the size of the NVS file struct and not checking whether the length of the buffer passed was correct before copying it into the allocated memory. This is a security hole because buffer overflows can occur if the userspace passes a bigger file than what is expected. With this patch, we check if the size of the data passed from userspace matches the size required. This bug was introduced in 2.6.36. Cc: stable@kernel.org Reported-by: N Ido Yariv <ido@wizery.com> Signed-off-by: N Luciano Coelho <coelho@ti.com> Signed-off-by: N John W. Linville <linville@tuxdriver.com>
09b661b3 · Luciano Coelho · John W. Linville · 02353573 · 09b661b3
显示空白变更内容
内联并排

Showing with 4 addition and 1 deletion

drivers/net/wireless/wl12xx/testmode.c drivers/net/wireless/wl12xx/testmode.c +4 -1

未找到文件。
--- a/drivers/net/wireless/wl12xx/testmode.c
+++ b/drivers/net/wireless/wl12xx/testmode.c
@@ -204,7 +204,10 @@ static int wl1271_tm_cmd_nvs_push(struct wl1271 *wl, struct nlattr *tb[])

 	kfree(wl->nvs);

-	wl->nvs = kzalloc(sizeof(struct wl1271_nvs_file), GFP_KERNEL);
+	if (len != sizeof(struct wl1271_nvs_file))
+		return -EINVAL;
+
+	wl->nvs = kzalloc(len, GFP_KERNEL);
 	if (!wl->nvs) {
 		wl1271_error("could not allocate memory for the nvs file");
 		ret = -ENOMEM;