From 5e59be1f351b0ca9c5a43c627e3ed676ae93a941 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 8 Sep 2010 21:39:56 +0200 Subject: [PATCH] mtd: sanity check ioctl input If "ur_idx" is wrong we could go past the end of the array. The "ur_idx" comes from root so it's not a huge deal, but adding a sanity check makes the code more robust. Signed-off-by: Dan Carpenter Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse --- drivers/mtd/mtdchar.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index 1d981a5c1b13..5895de7018d4 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -546,6 +546,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg) if (get_user(ur_idx, &(ur->regionindex))) return -EFAULT; + if (ur_idx >= mtd->numeraseregions) + return -EINVAL; + kr = &(mtd->eraseregions[ur_idx]); if (put_user(kr->offset, &(ur->offset)) -- 2.20.1