| From 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 Mon Sep 17 00:00:00 2001 |
| From: Samuel Ortiz <samuel@sortiz.org> |
| Date: Wed, 6 Oct 2010 01:03:12 +0200 |
| Subject: irda: Fix heap memory corruption in iriap.c |
| |
| From: Samuel Ortiz <samuel@sortiz.org> |
| |
| commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream. |
| |
| While parsing the GetValuebyClass command frame, we could potentially write |
| passed the skb->data pointer. |
| |
| Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> |
| Signed-off-by: Samuel Ortiz <samuel@sortiz.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/irda/iriap.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/net/irda/iriap.c |
| +++ b/net/irda/iriap.c |
| @@ -501,7 +501,8 @@ static void iriap_getvaluebyclass_confir |
| IRDA_DEBUG(4, "%s(), strlen=%d\n", __func__, value_len); |
| |
| /* Make sure the string is null-terminated */ |
| - fp[n+value_len] = 0x00; |
| + if (n + value_len < skb->len) |
| + fp[n + value_len] = 0x00; |
| IRDA_DEBUG(4, "Got string %s\n", fp+n); |
| |
| /* Will truncate to IAS_MAX_STRING bytes */ |