From: Javier Martinez Canillas Date: Tue, 25 Jan 2011 00:46:18 +0000 (+0100) Subject: Staging: bcm: Check correct user provided length and fix error code returned X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=00719fab9f6eb90b9e427d1096ad540d51878661;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git Staging: bcm: Check correct user provided length and fix error code returned bcm driver copies a buffer length provided by userpace without checking it. RxCntrlMsgBitMask is of type unsigned long so only makes sense to copy sizeof(unsigned long) bytes. Also, copy_from_user() returns the number of bytes that could not be copied. The driver is returning that value as error code instead of -EFAULT. This patch solves both issues. Signed-off-by: Javier Martinez Canillas Cc: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 31674ea1cd48..7dff283edb65 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -2024,6 +2024,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) if(Status) { BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of Ioctl buffer is failed from user space"); + Status = -EFAULT; + break; + } + + if (IoBuffer.InputLength != sizeof(unsigned long)) { + Status = -EINVAL; break; } @@ -2031,6 +2037,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) if(Status) { BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of control bit mask failed from user space"); + Status = -EFAULT; break; } BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"\n Got user defined cntrl msg bit mask :%lx", RxCntrlMsgBitMask);