86674a97f5
In ca8210_test_int_user_write() a user can request the transfer of a frame with a length field (command.length) that is longer than the actual buffer provided (len). In this scenario the driver will copy the buffer contents into the uninitialised command[] buffer, then transfer <data.length> bytes over the SPI even though only <len> bytes had been populated, potentially leaking sensitive kernel memory. Also the first 6 bytes of the command buffer must be initialised in case a malformed, short packet is written and the uninitialised bytes are read in ca8210_test_check_upstream. Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com> Signed-off-by: Harry Morris <h.morris@cascoda.com> Tested-by: Harry Morris <h.morris@cascoda.com> Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com> |
||
|---|---|---|
| .. | ||
| adf7242.c | ||
| at86rf230.c | ||
| at86rf230.h | ||
| atusb.c | ||
| atusb.h | ||
| ca8210.c | ||
| cc2520.c | ||
| fakelb.c | ||
| Kconfig | ||
| Makefile | ||
| mcr20a.c | ||
| mcr20a.h | ||
| mrf24j40.c | ||