irda: validate peer name and attribute lengths

Length fields provided by a peer for names and attributes may be longer than the destination array sizes. Validate lengths to prevent stack buffer overflows. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>

irda: validate peer name and attribute lengths
Length fields provided by a peer for names and attributes may be longer than the destination array sizes. Validate lengths to prevent stack buffer overflows. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Rosenberg · David S. Miller
1 parent d50e7e3604
Showing 1 changed file with 6 additions and 0 deletions Side-by-side Diff
net/irda/iriap.c
@@ -656,10 +656,16 @@
 	n = 1;
  
 	name_len = fp[n++];
+
+	IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
+
 	memcpy(name, fp+n, name_len); n+=name_len;
 	name[name_len] = '\0';
  
 	attr_len = fp[n++];
+
+	IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
+
 	memcpy(attr, fp+n, attr_len); n+=attr_len;
 	attr[attr_len] = '\0';
...	...	@@ -656,10 +656,16 @@
656	656	n = 1;
657	657
658	658	name_len = fp[n++];
	659	+
	660	+ IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
	661	+
659	662	memcpy(name, fp+n, name_len); n+=name_len;
660	663	name[name_len] = '\0';
661	664
662	665	attr_len = fp[n++];
	666	+
	667	+ IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
	668	+
663	669	memcpy(attr, fp+n, attr_len); n+=attr_len;
664	670	attr[attr_len] = '\0';
665	671