Patchwork [1/1] drivers/net/irda/irda-usb.c: fix buffer overflow

login
register
mail settings
Submitter Andrew Morton
Date Jan. 13, 2009, 9:30 p.m.
Message ID <200901132130.n0DLUsjq014237@imap1.linux-foundation.org>
Download mbox | patch
Permalink /patch/18299/
State Accepted
Delegated to: David Miller
Headers show

Comments

Andrew Morton - Jan. 13, 2009, 9:30 p.m.
From: Jos-Vicente Gilabert <josevteg@gmail.com>

Taken from http://bugzilla.kernel.org/show_bug.cgi?id=12397

We're doing an sprintf of an 11-char string into an 11-char buffer. 
Whoops.  It breaks firmware uploading.

Reported-by: Jos-Vicente Gilabert <josevteg@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Samuel Ortiz <samuel@sortiz.org>
Cc: "John W. Linville" <linville@tuxdriver.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/net/irda/irda-usb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
David Miller - Jan. 15, 2009, 4:55 a.m.
From: akpm@linux-foundation.org
Date: Tue, 13 Jan 2009 13:30:54 -0800

> From: Jos-Vicente Gilabert <josevteg@gmail.com>
> 
> Taken from http://bugzilla.kernel.org/show_bug.cgi?id=12397
> 
> We're doing an sprintf of an 11-char string into an 11-char buffer. 
> Whoops.  It breaks firmware uploading.
> 
> Reported-by: Jos-Vicente Gilabert <josevteg@gmail.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

Patch applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff -puN drivers/net/irda/irda-usb.c~drivers-net-irda-irda-usbc-fix-buffer-overflow drivers/net/irda/irda-usb.c
--- a/drivers/net/irda/irda-usb.c~drivers-net-irda-irda-usbc-fix-buffer-overflow
+++ a/drivers/net/irda/irda-usb.c
@@ -1073,7 +1073,7 @@  static int stir421x_patch_device(struct 
 {
 	unsigned int i;
 	int ret;
-	char stir421x_fw_name[11];
+	char stir421x_fw_name[12];
 	const struct firmware *fw;
 	const unsigned char *fw_version_ptr; /* pointer to version string */
 	unsigned long fw_version = 0;