[Lucid][CVE-2013-6378] libertas: potential oops in debugfs

[Luis Henriques]

From: Dan Carpenter <dan.carpenter at oracle.com>

CVE-2013-6378

BugLink: http://bugs.launchpad.net/bugs/1256080

If we do a zero size allocation then it will oops.  Also we can't be
sure the user passes us a NUL terminated string so I've added a
terminator.

This code can only be triggered by root.

Reported-by: Nico Golde <nico at ngolde.de>
Reported-by: Fabian Yamaguchi <fabs at goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Acked-by: Dan Williams <dcbw at redhat.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
(cherry picked from commit a497e47d4aec37aaf8f13509f3ef3d1f6a717d88)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/net/wireless/libertas/debugfs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
index 893a55c..89532a6 100644
--- a/drivers/net/wireless/libertas/debugfs.c
+++ b/drivers/net/wireless/libertas/debugfs.c
@@ -925,7 +925,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
 	char *p2;
 	struct debug_data *d = (struct debug_data *)f->private_data;
 
-	pdata = kmalloc(cnt, GFP_KERNEL);
+	if (cnt == 0)
+		return 0;
+
+	pdata = kmalloc(cnt + 1, GFP_KERNEL);
 	if (pdata == NULL)
 		return 0;
 
@@ -934,6 +937,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
 		kfree(pdata);
 		return 0;
 	}
+	pdata[cnt] = '\0';
 
 	p0 = pdata;
 	for (i = 0; i < num_of_items; i++) {
-- 
1.8.3.2