From: Bill Pemberton Date: Mon, 24 Sep 2012 21:02:08 +0000 (-0400) Subject: staging: dgrp: fix potential call to strncpy with a negative number X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=ad0c6e367ee0d08c4caa19ad0dbd3d752bd39de0;p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git staging: dgrp: fix potential call to strncpy with a negative number In dgrp_receive() there is: desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN : plen - 12; strncpy(nd->nd_ps_desc, b + 12, desclen); However, it's possible for plen to be <= 12 here so we'd be passing a negative number into the strncpy(). Fix this to not make the strncpy call and report an error if desclen is <= 0 Reported-by: Dan Carpenter Signed-off-by: Bill Pemberton Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/dgrp/dgrp_net_ops.c b/drivers/staging/dgrp/dgrp_net_ops.c index d9d6b6709e4e..ab839ea3b44c 100644 --- a/drivers/staging/dgrp/dgrp_net_ops.c +++ b/drivers/staging/dgrp/dgrp_net_ops.c @@ -3156,6 +3156,12 @@ check_query: nd->nd_hw_id = b[6]; desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN : plen - 12; + + if (desclen <= 0) { + error = "Response Packet desclen error"; + goto prot_error; + } + strncpy(nd->nd_ps_desc, b + 12, desclen); nd->nd_ps_desc[desclen] = 0; }