Staging: bcm: Check correct user provided length and fix error code returned
authorJavier Martinez Canillas <martinez.javier@gmail.com>
Tue, 25 Jan 2011 00:46:18 +0000 (01:46 +0100)
committerGreg Kroah-Hartman <gregkh@suse.de>
Fri, 4 Feb 2011 21:01:02 +0000 (13:01 -0800)
bcm driver copies a buffer length provided by userpace without checking it.

RxCntrlMsgBitMask is of type unsigned long so only makes sense to copy
sizeof(unsigned long) bytes.

Also, copy_from_user() returns the number of bytes that could not be copied.
The driver is returning that value as error code instead of -EFAULT.

This patch solves both issues.

Signed-off-by: Javier Martinez Canillas <martinez.javier@gmail.com>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/bcm/Bcmchar.c

index 31674ea1cd480d2926d556e4ff46289906d678f0..7dff283edb655a9c1286ca6095d8f687272c0a66 100644 (file)
@@ -2024,6 +2024,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
                                if(Status)
                                {
                                        BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of Ioctl buffer is failed from user space");
+                                       Status = -EFAULT;
+                                       break;
+                               }
+
+                               if (IoBuffer.InputLength != sizeof(unsigned long)) {
+                                       Status = -EINVAL;
                                        break;
                                }
 
@@ -2031,6 +2037,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
                                if(Status)
                                {
                                        BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of control bit mask failed from user space");
+                                       Status = -EFAULT;
                                        break;
                                }
                                BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"\n Got user defined cntrl msg bit mask :%lx", RxCntrlMsgBitMask);