| From d50e7e3604778bfc2dc40f440e0742dbae399d54 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Sat, 19 Mar 2011 20:14:30 +0000 |
| Subject: irda: prevent heap corruption on invalid nickname |
| |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| |
| commit d50e7e3604778bfc2dc40f440e0742dbae399d54 upstream. |
| |
| Invalid nicknames containing only spaces will result in an underflow in |
| a memcpy size calculation, subsequently destroying the heap and |
| panicking. |
| |
| v2 also catches the case where the provided nickname is longer than the |
| buffer size, which can result in controllable heap corruption. |
| |
| Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/irda/irnet/irnet_ppp.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/net/irda/irnet/irnet_ppp.c |
| +++ b/net/irda/irnet/irnet_ppp.c |
| @@ -105,6 +105,9 @@ irnet_ctrl_write(irnet_socket * ap, |
| while(isspace(start[length - 1])) |
| length--; |
| |
| + DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5, |
| + -EINVAL, CTRL_ERROR, "Invalid nickname.\n"); |
| + |
| /* Copy the name for later reuse */ |
| memcpy(ap->rname, start + 5, length - 5); |
| ap->rname[length - 5] = '\0'; |