Dan Carpenter 2a2b9ef309 staging: ncpfs: memory corruption in ncp_read_kernel() ...

commit 4c41aa24ba upstream.

If the server is malicious then *bytes_read could be larger than the
size of the "target" buffer.  It would lead to memory corruption when we
do the memcpy().

Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2018-03-28 18:24:43 +02:00

32 KiB

Raw Blame History

View Raw