irda: Fix parameter extraction stack overflow

author Samuel Ortiz <samuel@sortiz.org>

Sun, 10 Oct 2010 23:17:56 +0000 (01:17 +0200)

committer Greg Kroah-Hartman <gregkh@suse.de>

Thu, 9 Dec 2010 21:26:32 +0000 (13:26 -0800)
author Samuel Ortiz <samuel@sortiz.org>
Sun, 10 Oct 2010 23:17:56 +0000 (01:17 +0200)
committer Greg Kroah-Hartman <gregkh@suse.de>
Thu, 9 Dec 2010 21:26:32 +0000 (13:26 -0800)
diff --git a/net/irda/parameters.c b/net/irda/parameters.c

index fc1a20565e2d7ab3cbef897ac4ed2d5793189a62..71cd38c1a67fcfe241215effff78efba06be966c 100644 (file)
--- a/net/irda/parameters.c
+++ b/net/irda/parameters.c
@@ -298,6 +298,8 @@ static int irda_extract_string(void *self, __u8 *buf, int len, __u8 pi,
  
         p.pi = pi;     /* In case handler needs to know */
         p.pl = buf[1]; /* Extract length of value */
+       if (p.pl > 32)
+               p.pl = 32;
  
         IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__,
                    p.pi, p.pl);
@@ -318,7 +320,7 @@ static int irda_extract_string(void *self, __u8 *buf, int len, __u8 pi,
                    (__u8) str[0], (__u8) str[1]);
  
         /* Null terminate string */
-       str[p.pl+1] = '\0';
+       str[p.pl] = '\0';
  
         p.pv.c = str; /* Handler will need to take a copy */
author	Samuel Ortiz <samuel@sortiz.org>
	Sun, 10 Oct 2010 23:17:56 +0000 (01:17 +0200)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Thu, 9 Dec 2010 21:26:32 +0000 (13:26 -0800)