irda: prevent heap corruption on invalid nickname

commit d50e7e3604778bfc2dc40f440e0742dbae399d54 upstream.

Invalid nicknames containing only spaces will result in an underflow in
a memcpy size calculation, subsequently destroying the heap and
panicking.

v2 also catches the case where the provided nickname is longer than the
buffer size, which can result in controllable heap corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c
index 6a1a202710c51203597fc291244d1a5d9b5df1d6..ab5bee29dc33bb100cbc9586053d6e0433850ac4 100644 (file)
--- a/net/irda/irnet/irnet_ppp.c
+++ b/net/irda/irnet/irnet_ppp.c
@@ -106,6 +106,9 @@ irnet_ctrl_write(irnet_socket *     ap,
              while(isspace(start[length - 1]))
                length--;
 
+             DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5,
+                    -EINVAL, CTRL_ERROR, "Invalid nickname.\n");
+
              /* Copy the name for later reuse */
              memcpy(ap->rname, start + 5, length - 5);
              ap->rname[length - 5] = '\0';