Patchwork [hardy,lucid/fsl-imx51,maverick/ti-omap4,CVE,1/1] irda: validate peer name and attribute lengths

login
register
mail settings
Submitter Andy Whitcroft
Date July 27, 2011, 3:20 p.m.
Message ID <1311780044-21804-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/107106/
State New
Headers show

Comments

Andy Whitcroft - July 27, 2011, 3:20 p.m.
From: Dan Rosenberg <drosenberg@vsecurity.com>

Length fields provided by a peer for names and attributes may be longer
than the destination array sizes.  Validate lengths to prevent stack
buffer overflows.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit d370af0ef7951188daeb15bae75db7ba57c67846)
CVE-2011-1180
BugLink: http://bugs.launchpad.net/bugs/816547
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/irda/iriap.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

Patch

diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index a86a5d8..a765d5f 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -652,10 +652,16 @@  static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
 	n = 1;
 
 	name_len = fp[n++];
+
+	IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
+
 	memcpy(name, fp+n, name_len); n+=name_len;
 	name[name_len] = '\0';
 
 	attr_len = fp[n++];
+
+	IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
+
 	memcpy(attr, fp+n, attr_len); n+=attr_len;
 	attr[attr_len] = '\0';