staging: dgrp: fix potential call to strncpy with a negative number

In dgrp_receive() there is:

   desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN :
   	     	      	    plen - 12;
   strncpy(nd->nd_ps_desc, b + 12, desclen);

However, it's possible for plen to be <= 12 here so we'd be passing a
negative number into the strncpy().  Fix this to not make the strncpy
call and report an error if desclen is <= 0

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/dgrp/dgrp_net_ops.c b/drivers/staging/dgrp/dgrp_net_ops.c
index d9d6b67..ab839ea 100644 (file)
--- a/drivers/staging/dgrp/dgrp_net_ops.c
+++ b/drivers/staging/dgrp/dgrp_net_ops.c
@@ -3156,6 +3156,12 @@ check_query:
                                                nd->nd_hw_id = b[6];
                                                desclen = ((plen - 12) > MAX_DESC_LEN) ? MAX_DESC_LEN :
                                                        plen - 12;
+
+                                               if (desclen <= 0) {
+                                                       error = "Response Packet desclen error";
+                                                       goto prot_error;
+                                               }
+
                                                strncpy(nd->nd_ps_desc, b + 12, desclen);
                                                nd->nd_ps_desc[desclen] = 0;
                                        }