summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMiaoqing Pan <miaoqing@codeaurora.org>2017-09-27 09:13:34 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2017-12-20 10:05:01 +0100
commita815c0a370cf9bab9f209e11b954a63b419827ad (patch)
tree7b9fda2c84d9b1803df27dde47acfcf825ec3f88
parent26c66554d7bf86ca332200e77c3279c9a220bf27 (diff)
downloadlinux-stable-a815c0a370cf9bab9f209e11b954a63b419827ad.tar.gz
linux-stable-a815c0a370cf9bab9f209e11b954a63b419827ad.tar.bz2
linux-stable-a815c0a370cf9bab9f209e11b954a63b419827ad.zip
ath9k: fix tx99 potential info leak
[ Upstream commit ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 ] When the user sets count to zero the string buffer would remain completely uninitialized which causes the kernel to parse its own stack data, potentially leading to an info leak. In addition to that, the string might be not terminated properly when the user data does not contain a 0-terminator. Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> Reviewed-by: Christoph Böhmwalder <christoph@boehmwalder.at> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/net/wireless/ath/ath9k/tx99.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/net/wireless/ath/ath9k/tx99.c b/drivers/net/wireless/ath/ath9k/tx99.c
index b4e6304afd40..7ee1a3183a06 100644
--- a/drivers/net/wireless/ath/ath9k/tx99.c
+++ b/drivers/net/wireless/ath/ath9k/tx99.c
@@ -180,6 +180,9 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
ssize_t len;
int r;
+ if (count < 1)
+ return -EINVAL;
+
if (sc->cur_chan->nvifs > 1)
return -EOPNOTSUPP;
@@ -187,6 +190,8 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
if (copy_from_user(buf, user_buf, len))
return -EFAULT;
+ buf[len] = '\0';
+
if (strtobool(buf, &start))
return -EINVAL;