[PATCH] drivers/isdn/sc/ioctl.c: copy_from_user() size fix
authorDomen Puncer <domen@coderock.org>
Fri, 3 Feb 2006 11:04:14 +0000 (03:04 -0800)
committerLinus Torvalds <torvalds@g5.osdl.org>
Fri, 3 Feb 2006 16:32:05 +0000 (08:32 -0800)
A few lines above the patch we have:

char *srec;
srec = kmalloc(SCIOC_SRECSIZE, GFP_KERNEL);

sizeof pointer is probably not meant here.

Signed-off-by: Domen Puncer <domen@coderock.org>
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/isdn/sc/ioctl.c

index 3314a5a19854239f2bf335102c4e6f1c6dabfa97..94c9afb7017c66791b1eb154bcdf5d53f350b77c 100644 (file)
@@ -71,14 +71,14 @@ int sc_ioctl(int card, scs_ioctl *data)
                /*
                 * Get the SRec from user space
                 */
-               if (copy_from_user(srec, data->dataptr, sizeof(srec))) {
+               if (copy_from_user(srec, data->dataptr, SCIOC_SRECSIZE)) {
                        kfree(rcvmsg);
                        kfree(srec);
                        return -EFAULT;
                }
 
                status = send_and_receive(card, CMPID, cmReqType2, cmReqClass0, cmReqLoadProc,
-                               0, sizeof(srec), srec, rcvmsg, SAR_TIMEOUT);
+                               0, SCIOC_SRECSIZE, srec, rcvmsg, SAR_TIMEOUT);
                kfree(rcvmsg);
                kfree(srec);