diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2021-02-24 11:45:59 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-03-17 16:43:49 +0100 |
commit | 514cf1f593c0ddeb86b9c923554c076f3651cc6b (patch) | |
tree | f507184962c11e5097bbc53e91954a819ffe5cc1 | |
parent | eda4378094de16090d74eacea3d8c10f7719ed25 (diff) | |
download | linux-stable-514cf1f593c0ddeb86b9c923554c076f3651cc6b.tar.gz linux-stable-514cf1f593c0ddeb86b9c923554c076f3651cc6b.tar.bz2 linux-stable-514cf1f593c0ddeb86b9c923554c076f3651cc6b.zip |
staging: rtl8712: unterminated string leads to read overflow
commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream.
The memdup_user() function does not necessarily return a NUL terminated
string so this can lead to a read overflow. Switch from memdup_user()
to strndup_user() to fix this bug.
Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c index 2f490a4bf60a..4472dc76276a 100644 --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c @@ -946,7 +946,7 @@ static int r871x_wx_set_priv(struct net_device *dev, struct iw_point *dwrq = (struct iw_point *)awrq; len = dwrq->length; - ext = memdup_user(dwrq->pointer, len); + ext = strndup_user(dwrq->pointer, len); if (IS_ERR(ext)) return PTR_ERR(ext); |