| From d370af0ef7951188daeb15bae75db7ba57c67846 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Sun, 20 Mar 2011 15:32:06 +0000 |
| Subject: irda: validate peer name and attribute lengths |
| |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| |
| commit d370af0ef7951188daeb15bae75db7ba57c67846 upstream. |
| |
| Length fields provided by a peer for names and attributes may be longer |
| than the destination array sizes. Validate lengths to prevent stack |
| buffer overflows. |
| |
| Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/irda/iriap.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/net/irda/iriap.c |
| +++ b/net/irda/iriap.c |
| @@ -655,10 +655,16 @@ static void iriap_getvaluebyclass_indica |
| n = 1; |
| |
| name_len = fp[n++]; |
| + |
| + IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;); |
| + |
| memcpy(name, fp+n, name_len); n+=name_len; |
| name[name_len] = '\0'; |
| |
| attr_len = fp[n++]; |
| + |
| + IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;); |
| + |
| memcpy(attr, fp+n, attr_len); n+=attr_len; |
| attr[attr_len] = '\0'; |
| |