From patchwork Sat Apr 27 08:22:28 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marek Lindner <lindner_marek@yahoo.de>
X-Patchwork-Id: 2988
Return-Path: <lindner_marek@yahoo.de>
Received: from nm17-vm6.bullet.mail.sg3.yahoo.com
	(nm17-vm6.bullet.mail.sg3.yahoo.com [106.10.149.85])
	by open-mesh.org (Postfix) with ESMTPS id F2857601C6E
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Sat, 27 Apr 2013 10:22:42 +0200 (CEST)
Received: from [106.10.166.125] by nm17.bullet.mail.sg3.yahoo.com with NNFMP;
	27 Apr 2013 08:22:39 -0000
Received: from [106.10.167.165] by tm14.bullet.mail.sg3.yahoo.com with NNFMP;
	27 Apr 2013 08:22:39 -0000
Received: from [127.0.0.1] by smtp138.mail.sg3.yahoo.com with NNFMP;
	27 Apr 2013 08:22:39 -0000
X-Yahoo-Newman-Id: 150625.64280.bm@smtp138.mail.sg3.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: iXYy4uwVM1k3XprSRlVJCMJHp1uh6n0vWzhcnNb3U7_L9rO
	CmjF9j2MUH4OQeHvYKzQG.NR0Nwgvwg6It2Eh5W_JrKLfVWiXG3p7Ut8Kp5e
	iQDNPyjfbpLSGSg.mqom_WMSNhw4Ukbw1GYlpyDOEkExQZv5tSEsTWyl7IGg
	vxD30sNEsxLsMPtl_il9bvPgHy6nICkoesX1j6naoXEckkbiQWTP1el612SQ
	UuwbFgV9fCAKLIlo3MJvazjlGdCK4QEWlIps3t6ZtOdpMqtwf8OL6azhCGhu
	eywACKD5Fv14C1kOdqbjgAEfXVC7W55oGxpscPHQfrn4B.c7950bfmw1ftZI
	sK6bAQmYDA2bXidQhhAp3Ru2u0nkN7GzZr5ye_hdbRlTijBUD9m.K.5f4zs.
	j3iPDganmNnL1l_hBb6xDpE9fnIXcZud0kir4qiojZp__pH0-
X-Yahoo-SMTP: tW.h3tiswBBMXO2coYcbPigGD5Lt6zY_.Zc-
X-Rocket-Received: from localhost (lindner_marek@42.98.130.246 with plain)
	by smtp138.mail.sg3.yahoo.com with SMTP;
	27 Apr 2013 01:22:39 -0700 PDT
From: Marek Lindner <lindner_marek@yahoo.de>
To: b.a.t.m.a.n@lists.open-mesh.org
Date: Sat, 27 Apr 2013 16:22:28 +0800
Message-Id: <1367050948-7626-1-git-send-email-lindner_marek@yahoo.de>
X-Mailer: git-send-email 1.7.10.4
Cc: Marek Lindner <lindner_marek@yahoo.de>
Subject: [B.A.T.M.A.N.] [PATCH] batman-adv: check proto length before
	accessing proto string buffer
X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n@lists.open-mesh.org>
List-Id: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n.lists.open-mesh.org>
List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe>
List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n/>
List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org>
List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help>
List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Apr 2013 08:22:45 -0000

batadv_param_set_ra() strips the trailing '\n' from the supplied
string buffer without checking the length of the buffer first. This
patches avoids random memory access and associated potential
crashes.

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
---
 main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.c b/main.c
index 8a8fd00..f07dd6b 100644
--- a/main.c
+++ b/main.c
@@ -1106,7 +1106,7 @@ static int batadv_param_set_ra(const char *val, const struct kernel_param *kp)
 	char *algo_name = (char *)val;
 	size_t name_len = strlen(algo_name);
 
-	if (algo_name[name_len - 1] == '\n')
+	if (name_len > 0 && algo_name[name_len - 1] == '\n')
 		algo_name[name_len - 1] = '\0';
 
 	bat_algo_ops = batadv_algo_get(algo_name);