From: Dan Carpenter Date: Fri, 19 Sep 2014 10:43:11 +0000 (+0300) Subject: staging: vt6655: buffer overflow in ioctl X-Git-Tag: firefly_0821_release~176^2~3202^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ed87c2b2e7dd34016017af183b8f3fbe28179bc1;p=firefly-linux-kernel-4.4.55.git staging: vt6655: buffer overflow in ioctl ->u.generic_elem.len is a user controlled number between 0-255. We should limit it to avoid memory corruption. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/vt6655/hostap.c b/drivers/staging/vt6655/hostap.c index f105c2ac091b..164136b07a68 100644 --- a/drivers/staging/vt6655/hostap.c +++ b/drivers/staging/vt6655/hostap.c @@ -350,6 +350,9 @@ static int hostap_set_generic_element(PSDevice pDevice, { PSMgmtObject pMgmt = pDevice->pMgmt; + if (param->u.generic_elem.len > sizeof(pMgmt->abyWPAIE)) + return -EINVAL; + memcpy(pMgmt->abyWPAIE, param->u.generic_elem.data, param->u.generic_elem.len