From: Stephen Hemminger Date: Mon, 1 Nov 2010 17:59:01 +0000 (-0400) Subject: beceem: don't overrun user buffer on read X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9c5d77009db6ff09d02a7b0a99a70c0dfd3af6c6;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git beceem: don't overrun user buffer on read Serious bug in original code, if app reads 10 bytes but 20 byte msg received memory would get overwritten. Signed-off-by: Stephen Hemminger --- diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 1a255609aeda..8089d19e6c1b 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -139,7 +139,7 @@ static ssize_t bcm_char_read(struct file *filp, char __user *buf, size_t size, l if(Packet) { PktLen = Packet->len; - if(copy_to_user(buf, Packet->data, PktLen)) + if(copy_to_user(buf, Packet->data, min_t(size_t, PktLen, size))) { dev_kfree_skb(Packet); BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "\nReturning from copy to user failure \n");