From: Dan Carpenter Date: Fri, 14 Sep 2012 06:56:00 +0000 (+0300) Subject: Staging: silicom: add some range checks to proc functions X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e4c536b72fd6b25c7f4f9c6f293f43ba287b8e8f;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git Staging: silicom: add some range checks to proc functions If you tried to cat more than 255 characters (the last character is for the terminator) to these proc files then it would corrupt kernel memory. Signed-off-by: Dan Carpenter Signed-off-by: Daniel Cotey Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/silicom/bp_mod.c b/drivers/staging/silicom/bp_mod.c index 6e999c7ea75..1b3f5e7eb28 100644 --- a/drivers/staging/silicom/bp_mod.c +++ b/drivers/staging/silicom/bp_mod.c @@ -8227,6 +8227,9 @@ set_dis_bypass_pfs(struct file *file, const char *buffer, int bypass_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8256,6 +8259,9 @@ set_dis_tap_pfs(struct file *file, const char *buffer, int tap_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8285,6 +8291,9 @@ set_dis_disc_pfs(struct file *file, const char *buffer, int tap_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8374,6 +8383,9 @@ set_bypass_pwup_pfs(struct file *file, const char *buffer, int bypass_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8403,6 +8415,9 @@ set_bypass_pwoff_pfs(struct file *file, const char *buffer, int bypass_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8432,6 +8447,9 @@ set_tap_pwup_pfs(struct file *file, const char *buffer, int tap_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8461,6 +8479,9 @@ set_disc_pwup_pfs(struct file *file, const char *buffer, int tap_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8570,6 +8591,9 @@ set_std_nic_pfs(struct file *file, const char *buffer, int bypass_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; }