staging: ozwpan: Fix farewell report.
This patch fix following issues reported by Dan:-
1) There is no check limiting the size to 32 and it could be up to
253 bytes.
2) Use defines instead of magic numbers.
3) The oz_farewell struct is supposed to be a variable length struct
but the variable part is put in the middle. It doesn't make any
sense to put the length of the variable size array after then end
of the array because we can never find it again! Put the
variable size array at the end. Make it a zero length array.
u8 len;
u8 report[0];
4) In oz_add_farewell() we do this:
f = kmalloc(sizeof(struct oz_farewell) + len - 1, GFP_ATOMIC);
The "- 1" refers to sizeof(f->report) but because it was a magic
number then it was missed when the sizeof(f->report) changed.
5) In [patch 6/6] we set the ->len member. But because it is at the
end of a variable length array with no limit check the remote
attacker can just rewrite it using the memcpy() on the next line.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rupesh Gujare <rupesh.gujare@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/staging/ozwpan/ozproto.c b/drivers/staging/ozwpan/ozproto.c
index 084307a..3d1a89f 100644
--- a/drivers/staging/ozwpan/ozproto.c
+++ b/drivers/staging/ozwpan/ozproto.c
@@ -291,7 +291,7 @@
struct oz_farewell *f;
struct oz_farewell *f2;
int found = 0;
- f = kmalloc(sizeof(struct oz_farewell) + len - 1, GFP_ATOMIC);
+ f = kmalloc(sizeof(struct oz_farewell) + len, GFP_ATOMIC);
if (!f)
return;
f->ep_num = ep_num;