staging: vt6655: buffer overflow in ioctl

->u.generic_elem.len is a user controlled number between 0-255. We should limit it to avoid memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2014-09-19 13:43:11 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-09-19 15:32:20 -0700
commit: ed87c2b2e7dd34016017af183b8f3fbe28179bc1 (patch)
tree: fc75ae737183ec9db5ee54ccaff24137661e0592
parent: Merge tag 'iio-fixes-3.17a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus (diff)
download: linux-dev-ed87c2b2e7dd34016017af183b8f3fbe28179bc1.tar.xz
linux-dev-ed87c2b2e7dd34016017af183b8f3fbe28179bc1.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/staging/vt6655/hostap.c b/drivers/staging/vt6655/hostap.c
index f105c2ac091b..164136b07a68 100644
--- a/drivers/staging/vt6655/hostap.c
+++ b/drivers/staging/vt6655/hostap.c
@@ -350,6 +350,9 @@ static int hostap_set_generic_element(PSDevice pDevice,
 {
 	PSMgmtObject    pMgmt = pDevice->pMgmt;
 
+	if (param->u.generic_elem.len > sizeof(pMgmt->abyWPAIE))
+		return -EINVAL;
+
 	memcpy(pMgmt->abyWPAIE,
 	       param->u.generic_elem.data,
 	       param->u.generic_elem.len
author	Dan Carpenter <dan.carpenter@oracle.com>	2014-09-19 13:43:11 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-09-19 15:32:20 -0700
commit	ed87c2b2e7dd34016017af183b8f3fbe28179bc1 (patch)
tree	fc75ae737183ec9db5ee54ccaff24137661e0592
parent	Merge tag 'iio-fixes-3.17a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus (diff)
download	linux-dev-ed87c2b2e7dd34016017af183b8f3fbe28179bc1.tar.xz linux-dev-ed87c2b2e7dd34016017af183b8f3fbe28179bc1.zip