Staging: bcm: Add size maximum size restrictions for IOCTL_IDLE_REQ

In the first alteration, the MAX_CNTL_PKT_SIZE is the
maximum size of the control packet in ->Adapter->txctlpacket[]
which is defined in InitAdapter(). This caps the size of
kmalloc memory allocation. In the second change, this max
cap fixes a potential memory corruption bug when subsequent
memset and memcpy calls are invoked.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 1905a83b33856ba37b534c4e4f6c0ad80b8b7ff2..4c433538397780f66a2343dea9afa0918987177b 100644 (file)
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -690,6 +690,9 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
                if (IoBuffer.InputLength < sizeof(struct link_request))
                        return -EINVAL;
 
+               if (IoBuffer.InputLength > MAX_CNTL_PKT_SIZE)
+                       return -EINVAL;
+
                pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL);
                if (!pvBuffer)
                        return -ENOMEM;

diff --git a/drivers/staging/bcm/Misc.c b/drivers/staging/bcm/Misc.c
index c5b3a3666bc7973436e0137342c05d20523b457a..9da94086987f22c07b6b80cc65c7b2655e066407 100644 (file)
--- a/drivers/staging/bcm/Misc.c
+++ b/drivers/staging/bcm/Misc.c
@@ -421,6 +421,10 @@ INT CopyBufferToControlPacket(PMINI_ADAPTER Adapter,/**<Logical Adapter*/
                                pLeader->PLength = pktlen;
                        }
                }
+
+               if (pktlen + LEADER_SIZE > MAX_CNTL_PKT_SIZE)
+                       return -EINVAL;
+
                memset(ctrl_buff, 0, pktlen+LEADER_SIZE);
                BCM_DEBUG_PRINT(Adapter,DBG_TYPE_TX, TX_CONTROL, DBG_LVL_ALL, "Copying the Control Packet Buffer with length=%d\n", pLeader->PLength);
                *(PLEADER)ctrl_buff=*pLeader;