From patchwork Sat Sep 4 13:14:35 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 63775 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id CF285B714A for ; Sat, 4 Sep 2010 23:15:25 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753104Ab0IDNPU (ORCPT ); Sat, 4 Sep 2010 09:15:20 -0400 Received: from mail-bw0-f46.google.com ([209.85.214.46]:48359 "EHLO mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752918Ab0IDNPT (ORCPT ); Sat, 4 Sep 2010 09:15:19 -0400 Received: by bwz11 with SMTP id 11so2274025bwz.19 for ; Sat, 04 Sep 2010 06:15:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=omCaLB+YkX8R+JnGpOhFV3scC8yULadlfF4WioGgzfs=; b=UOZKgFtRmot/v0/+VNvXeQbiOfB8TZdCtV+kg2bTMraoNds8v8InbC95XABvBSSm2b C7A7H1IEyTPYQ9b15N/zV2eqQ8+oEUakMzeDkZw4THnHFE/Uj03+iIz+qYopF8XaxoUg f7NLnquu/1hF8MeWLugx4bviqdu4fUFy6ev5c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=hSyyxLyyZmp11T5CEvTrDvDjuUptKuvdsw5WVLnv06jLp8UABm7yuqZdcJdBcU5Iy6 vrhGs5PM9nkhBxueDMtigjYVaUr367Zp7pT8qxTe+F8AOydXdrB7NPovelmEGNfmT5kU OrrrDF6we4CgUllk5bvbcuRQE+5IqbybuhHOM= Received: by 10.204.81.130 with SMTP id x2mr1194259bkk.210.1283606115775; Sat, 04 Sep 2010 06:15:15 -0700 (PDT) Received: from bicker ([41.205.146.22]) by mx.google.com with ESMTPS id 11sm2440665bkj.23.2010.09.04.06.15.00 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 04 Sep 2010 06:15:14 -0700 (PDT) Date: Sat, 4 Sep 2010 15:14:35 +0200 From: Dan Carpenter To: Samuel Ortiz Cc: "David S. Miller" , Alexey Dobriyan , Li Zefan , netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] irda: off by one Message-ID: <20100904131435.GL5437@bicker> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This is an off by one. We would go past the end when we NUL terminate the "value" string at end of the function. The "value" buffer is allocated in irlan_client_parse_response() or irlan_provider_parse_command(). CC: stable@kernel.org Signed-off-by: Dan Carpenter --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/irda/irlan/irlan_common.c b/net/irda/irlan/irlan_common.c index a788f9e..6130f9d 100644 --- a/net/irda/irlan/irlan_common.c +++ b/net/irda/irlan/irlan_common.c @@ -1102,7 +1102,7 @@ int irlan_extract_param(__u8 *buf, char *name, char *value, __u16 *len) memcpy(&val_len, buf+n, 2); /* To avoid alignment problems */ le16_to_cpus(&val_len); n+=2; - if (val_len > 1016) { + if (val_len >= 1016) { IRDA_DEBUG(2, "%s(), parameter length to long\n", __func__ ); return -RSP_INVALID_COMMAND_FORMAT; }