From 261eba73353edd48b0c0cb7aad59553dfc712ebc Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Mon, 30 Jul 2012 14:41:30 -0700 Subject: [PATCH] drivers/message/i2o/i2o_config.c: bound allocation Fix a case where users can try to allocate arbitarily large amounts of memory. 64K is overkill for a config request so apply an upper bound. Signed-off-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/message/i2o/i2o_config.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c index 098de2b35784..9a49c243a6ac 100644 --- a/drivers/message/i2o/i2o_config.c +++ b/drivers/message/i2o/i2o_config.c @@ -188,6 +188,13 @@ static int i2o_cfg_parms(unsigned long arg, unsigned int type) if (!dev) return -ENXIO; + /* + * Stop users being able to try and allocate arbitary amounts + * of DMA space. 64K is way more than sufficient for this. + */ + if (kcmd.oplen > 65536) + return -EMSGSIZE; + ops = memdup_user(kcmd.opbuf, kcmd.oplen); if (IS_ERR(ops)) return PTR_ERR(ops); -- 2.20.1