提交 ad0c6e36 编写于 作者: B Bill Pemberton 提交者: Greg Kroah-Hartman

staging: dgrp: fix potential call to strncpy with a negative number

In dgrp_receive() there is:

   desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN :
   	     	      	    plen - 12;
   strncpy(nd->nd_ps_desc, b + 12, desclen);

However, it's possible for plen to be <= 12 here so we'd be passing a
negative number into the strncpy().  Fix this to not make the strncpy
call and report an error if desclen is <= 0
Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NBill Pemberton <wfp5p@virginia.edu>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
上级 142e5460
...@@ -3156,6 +3156,12 @@ static void dgrp_receive(struct nd_struct *nd) ...@@ -3156,6 +3156,12 @@ static void dgrp_receive(struct nd_struct *nd)
nd->nd_hw_id = b[6]; nd->nd_hw_id = b[6];
desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN : desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN :
plen - 12; plen - 12;
if (desclen <= 0) {
error = "Response Packet desclen error";
goto prot_error;
}
strncpy(nd->nd_ps_desc, b + 12, desclen); strncpy(nd->nd_ps_desc, b + 12, desclen);
nd->nd_ps_desc[desclen] = 0; nd->nd_ps_desc[desclen] = 0;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册