diff options
| author | Bill Pemberton <wfp5p@virginia.edu> | 2012-09-24 17:02:08 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-09-25 15:42:38 -0700 |
| commit | ad0c6e367ee0d08c4caa19ad0dbd3d752bd39de0 (patch) | |
| tree | efdf83f1ab62b3e4d82670a4920fa373b113d2a1 /drivers/staging/dgrp | |
| parent | 142e5460a66edbfe881474eb422e86ff61c4bfc7 (diff) | |
| download | op-kernel-dev-ad0c6e367ee0d08c4caa19ad0dbd3d752bd39de0.zip op-kernel-dev-ad0c6e367ee0d08c4caa19ad0dbd3d752bd39de0.tar.gz | |
staging: dgrp: fix potential call to strncpy with a negative number
In dgrp_receive() there is:
desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN :
plen - 12;
strncpy(nd->nd_ps_desc, b + 12, desclen);
However, it's possible for plen to be <= 12 here so we'd be passing a
negative number into the strncpy(). Fix this to not make the strncpy
call and report an error if desclen is <= 0
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/dgrp')
| -rw-r--r-- | drivers/staging/dgrp/dgrp_net_ops.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/staging/dgrp/dgrp_net_ops.c b/drivers/staging/dgrp/dgrp_net_ops.c index d9d6b67..ab839ea 100644 --- a/drivers/staging/dgrp/dgrp_net_ops.c +++ b/drivers/staging/dgrp/dgrp_net_ops.c @@ -3156,6 +3156,12 @@ check_query: nd->nd_hw_id = b[6]; desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN : plen - 12; + + if (desclen <= 0) { + error = "Response Packet desclen error"; + goto prot_error; + } + strncpy(nd->nd_ps_desc, b + 12, desclen); nd->nd_ps_desc[desclen] = 0; } |
