irda: prevent heap corruption on invalid nickname

commit d50e7e3604778bfc2dc40f440e0742dbae399d54 upstream.

Invalid nicknames containing only spaces will result in an underflow in
a memcpy size calculation, subsequently destroying the heap and
panicking.

v2 also catches the case where the provided nickname is longer than the
buffer size, which can result in controllable heap corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c
index 6d8ae03c14f5b8e3dc12af9906a14e1b0ae3b666..8f5664fdb69ff0ca8f0bd67ccae0e06981cfa431 100644 (file)
--- a/net/irda/irnet/irnet_ppp.c
+++ b/net/irda/irnet/irnet_ppp.c
@@ -104,6 +104,9 @@ irnet_ctrl_write(irnet_socket *     ap,
              while(isspace(start[length - 1]))
                length--;
 
+             DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5,
+                    -EINVAL, CTRL_ERROR, "Invalid nickname.\n");
+
              /* Copy the name for later reuse */
              memcpy(ap->rname, start + 5, length - 5);
              ap->rname[length - 5] = '\0';