Thread (106 messages) 106 messages, 6 authors, 2021-03-18
STALE1931d

[PATCH 4.14 67/95] staging: rtl8712: unterminated string leads to read overflow

From: gregkh@linuxfoundation.org
Date: 2021-03-15 14:24:07
Also in: lkml

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

From: Dan Carpenter <redacted>

commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream.

The memdup_user() function does not necessarily return a NUL terminated
string so this can lead to a read overflow.  Switch from memdup_user()
to strndup_user() to fix this bug.

Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.")
Cc: stable <redacted>
Signed-off-by: Dan Carpenter <redacted>
Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda (local)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8712/rtl871x_ioctl_linux.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -927,7 +927,7 @@ static int r871x_wx_set_priv(struct net_
 	struct iw_point *dwrq = (struct iw_point *)awrq;
 
 	len = dwrq->length;
-	ext = memdup_user(dwrq->pointer, len);
+	ext = strndup_user(dwrq->pointer, len);
 	if (IS_ERR(ext))
 		return PTR_ERR(ext);
 

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help