staging: rtl8712: unterminated string leads to read overflow

commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream. The memdup_user() function does not necessarily return a NUL terminated string so this can lead to a read overflow. Switch from memdup_user() to strndup_user() to fix this bug. Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.") Cc: stable <stable@vger.kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2021-02-24 11:45:59 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-03-17 17:03:53 +0100
commit: 1a866057e970e640ceba8d021748e0805a01dda9 (patch)
tree: ace79627643667ceda57aa36a956aebe508997c2 /drivers
parent: da5abe369b03447b3df1e5816b9560cbae503993 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index 944336e0d2e2..cff918d8bcb5 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -928,7 +928,7 @@ static int r871x_wx_set_priv(struct net_device *dev,
 	struct iw_point *dwrq = (struct iw_point *)awrq;
 
 	len = dwrq->length;
-	ext = memdup_user(dwrq->pointer, len);
+	ext = strndup_user(dwrq->pointer, len);
 	if (IS_ERR(ext))
 		return PTR_ERR(ext);
author	Dan Carpenter <dan.carpenter@oracle.com>	2021-02-24 11:45:59 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-03-17 17:03:53 +0100
commit	1a866057e970e640ceba8d021748e0805a01dda9 (patch)
tree	ace79627643667ceda57aa36a956aebe508997c2 /drivers
parent	da5abe369b03447b3df1e5816b9560cbae503993 (diff)