summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2021-02-24 11:45:59 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-03-17 17:06:31 +0100
commit550c9e49eb429cdb0c1e70ba6a6cf5935612f0dd (patch)
tree71b76a41351a6c214b3933702a5cf1f37981123a
parentd972a516958dee489911d9f57ee7a177834ef248 (diff)
downloadlinux-stable-550c9e49eb429cdb0c1e70ba6a6cf5935612f0dd.tar.gz
linux-stable-550c9e49eb429cdb0c1e70ba6a6cf5935612f0dd.tar.bz2
linux-stable-550c9e49eb429cdb0c1e70ba6a6cf5935612f0dd.zip
staging: rtl8712: unterminated string leads to read overflow
commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream. The memdup_user() function does not necessarily return a NUL terminated string so this can lead to a read overflow. Switch from memdup_user() to strndup_user() to fix this bug. Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.") Cc: stable <stable@vger.kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat
-rw-r--r--drivers/staging/rtl8712/rtl871x_ioctl_linux.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index cbaa7a489748..2a661b04cd25 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -924,7 +924,7 @@ static int r871x_wx_set_priv(struct net_device *dev,
struct iw_point *dwrq = (struct iw_point *)awrq;
len = dwrq->length;
- ext = memdup_user(dwrq->pointer, len);
+ ext = strndup_user(dwrq->pointer, len);
if (IS_ERR(ext))
return PTR_ERR(ext);
generated by cgit v1.2.3 (git 2.46.0) at 2025-04-25 09:35:52 +0000