summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2021-02-24 11:45:59 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-03-17 16:43:49 +0100
commit514cf1f593c0ddeb86b9c923554c076f3651cc6b (patch)
treef507184962c11e5097bbc53e91954a819ffe5cc1
parenteda4378094de16090d74eacea3d8c10f7719ed25 (diff)
downloadlinux-stable-514cf1f593c0ddeb86b9c923554c076f3651cc6b.tar.gz
linux-stable-514cf1f593c0ddeb86b9c923554c076f3651cc6b.tar.bz2
linux-stable-514cf1f593c0ddeb86b9c923554c076f3651cc6b.zip
staging: rtl8712: unterminated string leads to read overflow
commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream. The memdup_user() function does not necessarily return a NUL terminated string so this can lead to a read overflow. Switch from memdup_user() to strndup_user() to fix this bug. Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.") Cc: stable <stable@vger.kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat
-rw-r--r--drivers/staging/rtl8712/rtl871x_ioctl_linux.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index 2f490a4bf60a..4472dc76276a 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -946,7 +946,7 @@ static int r871x_wx_set_priv(struct net_device *dev,
struct iw_point *dwrq = (struct iw_point *)awrq;
len = dwrq->length;
- ext = memdup_user(dwrq->pointer, len);
+ ext = strndup_user(dwrq->pointer, len);
if (IS_ERR(ext))
return PTR_ERR(ext);
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-28 02:28:45 +0000