[3.8.y.z extended stable] Patch "staging: ozwpan: prevent overflow in oz_cdev_write()" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Nov 8 02:09:01 UTC 2013

This is a note to let you know that I have just added a patch titled

    staging: ozwpan: prevent overflow in oz_cdev_write()

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:


This patch is scheduled to be released in version

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



>From f9fc704132b2c8cffc319d0156a5db78e5c958de Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter at oracle.com>
Date: Tue, 29 Oct 2013 22:07:47 +0300
Subject: staging: ozwpan: prevent overflow in oz_cdev_write()

commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream.

We need to check "count" so we don't overflow the ei->data buffer.

Reported-by: Nico Golde <nico at ngolde.de>
Reported-by: Fabian Yamaguchi <fabs at goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
 drivers/staging/ozwpan/ozcdev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/staging/ozwpan/ozcdev.c b/drivers/staging/ozwpan/ozcdev.c
index 64913ae..f9c493b 100644
--- a/drivers/staging/ozwpan/ozcdev.c
+++ b/drivers/staging/ozwpan/ozcdev.c
@@ -152,6 +152,9 @@ ssize_t oz_cdev_write(struct file *filp, const char __user *buf, size_t count,
 	struct oz_app_hdr *app_hdr;
 	struct oz_serial_ctx *ctx;

+	if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr))
+		return -EINVAL;
 	pd = g_cdev.active_pd;
 	if (pd)

More information about the kernel-team mailing list