wl12xx: fix potential buffer overflow in testmode nvs push

We were allocating the size of the NVS file struct and not checking
whether the length of the buffer passed was correct before copying it
into the allocated memory.  This is a security hole because buffer
overflows can occur if the userspace passes a bigger file than what is
expected.

With this patch, we check if the size of the data passed from
userspace matches the size required.

This bug was introduced in 2.6.36.

Cc: stable@kernel.org
Reported-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/wl12xx/testmode.c b/drivers/net/wireless/wl12xx/testmode.c
index e64403b6896d7f135af9f2743345dcfeb8de28f2..6ec06a4a4c6dfdbe220f39bc4f910445901fbb22 100644 (file)
--- a/drivers/net/wireless/wl12xx/testmode.c
+++ b/drivers/net/wireless/wl12xx/testmode.c
@@ -204,7 +204,10 @@ static int wl1271_tm_cmd_nvs_push(struct wl1271 *wl, struct nlattr *tb[])
 
        kfree(wl->nvs);
 
-       wl->nvs = kzalloc(sizeof(struct wl1271_nvs_file), GFP_KERNEL);
+       if (len != sizeof(struct wl1271_nvs_file))
+               return -EINVAL;
+
+       wl->nvs = kzalloc(len, GFP_KERNEL);
        if (!wl->nvs) {
                wl1271_error("could not allocate memory for the nvs file");
                ret = -ENOMEM;