Skip to content

Commit

Permalink
staging: rtl8712: unterminated string leads to read overflow
Browse files Browse the repository at this point in the history 
commit d660f4f upstream.

The memdup_user() function does not necessarily return a NUL terminated
string so this can lead to a read overflow.  Switch from memdup_user()
to strndup_user() to fix this bug.

Fixes: c6dc001 ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
@gregkh
Dan Carpenter authored and gregkh committed Mar 17, 2021
1 parent d972a51 commit 550c9e4
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/staging/rtl8712/rtl871x_ioctl_linux.c
View file
Expand Up @@ -924,7 +924,7 @@ static int r871x_wx_set_priv(struct net_device *dev,
struct iw_point *dwrq = (struct iw_point *)awrq;

len = dwrq->length;
ext = memdup_user(dwrq->pointer, len);
ext = strndup_user(dwrq->pointer, len);
if (IS_ERR(ext))
return PTR_ERR(ext);

Expand Down

0 comments on commit 550c9e4

Please sign in to comment.