From ad0c6e367ee0d08c4caa19ad0dbd3d752bd39de0 Mon Sep 17 00:00:00 2001 From: Bill Pemberton Date: Mon, 24 Sep 2012 17:02:08 -0400 Subject: [PATCH] staging: dgrp: fix potential call to strncpy with a negative number In dgrp_receive() there is: desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN : plen - 12; strncpy(nd->nd_ps_desc, b + 12, desclen); However, it's possible for plen to be <= 12 here so we'd be passing a negative number into the strncpy(). Fix this to not make the strncpy call and report an error if desclen is <= 0 Reported-by: Dan Carpenter Signed-off-by: Bill Pemberton Signed-off-by: Greg Kroah-Hartman --- drivers/staging/dgrp/dgrp_net_ops.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/staging/dgrp/dgrp_net_ops.c b/drivers/staging/dgrp/dgrp_net_ops.c index d9d6b6709e4e..ab839ea3b44c 100644 --- a/drivers/staging/dgrp/dgrp_net_ops.c +++ b/drivers/staging/dgrp/dgrp_net_ops.c @@ -3156,6 +3156,12 @@ check_query: nd->nd_hw_id = b[6]; desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN : plen - 12; + + if (desclen <= 0) { + error = "Response Packet desclen error"; + goto prot_error; + } + strncpy(nd->nd_ps_desc, b + 12, desclen); nd->nd_ps_desc[desclen] = 0; }