From: Dan Rosenberg <drosenberg@vsecurity.com>
Length fields provided by a peer for names and attributes may be longer
than the destination array sizes. Validate lengths to prevent stack
buffer overflows.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit d370af0ef7951188daeb15bae75db7ba57c67846)
CVE-2011-1180
BugLink: http://bugs.launchpad.net/bugs/816547
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/irda/iriap.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index a86a5d8..a765d5f 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -652,10 +652,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
n = 1;
name_len = fp[n++];
+
+ IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return
;
+
memcpy(name, fp+n, name_len); n+=name_len;
name[name_len] = '�';
attr_len = fp[n++];
+
+ IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return
;
+
memcpy(attr, fp+n, attr_len); n+=attr_len;
attr[attr_len] = '�';
--
1.7.4.1
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
irda: validate peer name and attribute lengths
