[hardy, lucid/fsl-imx51, maverick/ti-omap4 CVE 1/1] irda: validate peer name and attribute lengths
Andy Whitcroft
apw at canonical.com
Wed Jul 27 15:20:44 UTC 2011
From: Dan Rosenberg <drosenberg at vsecurity.com>
Length fields provided by a peer for names and attributes may be longer
than the destination array sizes. Validate lengths to prevent stack
buffer overflows.
Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
Cc: stable at kernel.org
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit d370af0ef7951188daeb15bae75db7ba57c67846)
CVE-2011-1180
BugLink: http://bugs.launchpad.net/bugs/816547
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
net/irda/iriap.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index a86a5d8..a765d5f 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -652,10 +652,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
n = 1;
name_len = fp[n++];
+
+ IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
+
memcpy(name, fp+n, name_len); n+=name_len;
name[name_len] = '\0';
attr_len = fp[n++];
+
+ IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
+
memcpy(attr, fp+n, attr_len); n+=attr_len;
attr[attr_len] = '\0';
--
1.7.4.1
More information about the kernel-team
mailing list