From patchwork Mon Oct 11 00:25:02 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Samuel Ortiz <samuel@sortiz.org>
X-Patchwork-Id: 67374
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 69DEEB70A3
	for <patchwork-incoming@ozlabs.org>;
	Mon, 11 Oct 2010 11:26:20 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752610Ab0JKA0O (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sun, 10 Oct 2010 20:26:14 -0400
Received: from mga01.intel.com ([192.55.52.88]:11562 "EHLO mga01.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752614Ab0JKA0O (ORCPT <rfc822;netdev@vger.kernel.org>);
	Sun, 10 Oct 2010 20:26:14 -0400
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
	by fmsmga101.fm.intel.com with ESMTP; 10 Oct 2010 17:26:13 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="4.57,311,1283756400"; d="scan'208";a="615319816"
Received: from unknown (HELO sortiz-mobl) ([10.255.18.201])
	by fmsmga002.fm.intel.com with ESMTP; 10 Oct 2010 17:26:12 -0700
From: Samuel Ortiz <samuel@sortiz.org>
To: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Samuel Ortiz <samuel@sortiz.org>,
	stable@kernel.org
Subject: [PATCH net-next 5/5] irda: Fix heap memory corruption in iriap.c
Date: Mon, 11 Oct 2010 02:25:02 +0200
Message-Id: 
 <37f9fc452d138dfc4da2ee1ce5ae85094efc3606.1286756123.git.sameo@linux.intel.com>
X-Mailer: git-send-email 1.7.1
In-Reply-To: <cover.1286756123.git.sameo@linux.intel.com>
References: <cover.1286756123.git.sameo@linux.intel.com>
In-Reply-To: <cover.1286756123.git.sameo@linux.intel.com>
References: <cover.1286756123.git.sameo@linux.intel.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

While parsing the GetValuebyClass command frame, we could potentially write
passed the skb->data pointer.

Cc: stable@kernel.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
---
 net/irda/iriap.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index fce364c..5b743bd 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -502,7 +502,8 @@ static void iriap_getvaluebyclass_confirm(struct iriap_cb *self,
 		IRDA_DEBUG(4, "%s(), strlen=%d\n", __func__, value_len);
 
 		/* Make sure the string is null-terminated */
-		fp[n+value_len] = 0x00;
+		if (n + value_len < skb->len)
+			fp[n + value_len] = 0x00;
 		IRDA_DEBUG(4, "Got string %s\n", fp+n);
 
 		/* Will truncate to IAS_MAX_STRING bytes */