| From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 30 Oct 2013 20:12:51 +0300 |
| Subject: libertas: potential oops in debugfs |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 upstream. |
| |
| If we do a zero size allocation then it will oops. Also we can't be |
| sure the user passes us a NUL terminated string so I've added a |
| terminator. |
| |
| This code can only be triggered by root. |
| |
| Reported-by: Nico Golde <nico@ngolde.de> |
| Reported-by: Fabian Yamaguchi <fabs@goesec.de> |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Dan Williams <dcbw@redhat.com> |
| Signed-off-by: John W. Linville <linville@tuxdriver.com> |
| Cc: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/net/wireless/libertas/debugfs.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/net/wireless/libertas/debugfs.c |
| +++ b/drivers/net/wireless/libertas/debugfs.c |
| @@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct |
| char *p2; |
| struct debug_data *d = f->private_data; |
| |
| - pdata = kmalloc(cnt, GFP_KERNEL); |
| + if (cnt == 0) |
| + return 0; |
| + |
| + pdata = kmalloc(cnt + 1, GFP_KERNEL); |
| if (pdata == NULL) |
| return 0; |
| |
| @@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct |
| kfree(pdata); |
| return 0; |
| } |
| + pdata[cnt] = '\0'; |
| |
| p0 = pdata; |
| for (i = 0; i < num_of_items; i++) { |