projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7518b9b)
Staging: bcm: Add size minimum size restrictions for IOCTL_IDLE_REQ
authorKevin McKinney <klmckinney1@gmail.com>
Sun, 18 Sep 2011 22:34:46 +0000 (18:34 -0400)
committerGreg Kroah-Hartman <gregkh@suse.de>
Mon, 19 Sep 2011 17:46:17 +0000 (10:46 -0700)
If IoBuffer.InputLength is zero then this will cause an Oops when
we dereference the ZERO_SIZE_PTR.  Or if it's smaller than
sizeof(struct link_request) then we would get memory corruption
when we set ->PLength in CopyBufferToControlPacket().

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/bcm/Bcmchar.c patch | blob | blame | history

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 6f8a75dc1ef04b8d94abcc35f42bbe5d0c075452..1905a83b33856ba37b534c4e4f6c0ad80b8b7ff2 100644 (file)
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -687,7 +687,9 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
                if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
                        return -EFAULT;
 
-               /* FIXME: don't accept any length from user */
+               if (IoBuffer.InputLength < sizeof(struct link_request))
+                       return -EINVAL;
+
                pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL);
                if (!pvBuffer)
                        return -ENOMEM;