summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuciano Coelho <coelho@ti.com>2011-04-01 19:42:02 +0300
committerGreg Kroah-Hartman <gregkh@suse.de>2011-04-14 13:02:26 -0700
commit1ff9aebbec267d7a877988df6ced21b95966dda8 (patch)
tree374100671d95004e0944942c16c90ad71ea2c719
parentdd3e5dee2c55cbb4f8afc54def21554e3e6b48f1 (diff)
wl12xx: fix potential buffer overflow in testmode nvs push
commit 09b661b33268698d3b453dceb78cda129ad899b4 upstream. We were allocating the size of the NVS file struct and not checking whether the length of the buffer passed was correct before copying it into the allocated memory. This is a security hole because buffer overflows can occur if the userspace passes a bigger file than what is expected. With this patch, we check if the size of the data passed from userspace matches the size required. This bug was introduced in 2.6.36. Reported-by: Ido Yariv <ido@wizery.com> Signed-off-by: Luciano Coelho <coelho@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/net/wireless/wl12xx/testmode.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/wireless/wl12xx/testmode.c b/drivers/net/wireless/wl12xx/testmode.c
index e64403b6896..6ec06a4a4c6 100644
--- a/drivers/net/wireless/wl12xx/testmode.c
+++ b/drivers/net/wireless/wl12xx/testmode.c
@@ -204,7 +204,10 @@ static int wl1271_tm_cmd_nvs_push(struct wl1271 *wl, struct nlattr *tb[])
kfree(wl->nvs);
- wl->nvs = kzalloc(sizeof(struct wl1271_nvs_file), GFP_KERNEL);
+ if (len != sizeof(struct wl1271_nvs_file))
+ return -EINVAL;
+
+ wl->nvs = kzalloc(len, GFP_KERNEL);
if (!wl->nvs) {
wl1271_error("could not allocate memory for the nvs file");
ret = -ENOMEM;