From 61a0bc0f1fd235cb0af8413432beb5fed8101ad1 Mon Sep 17 00:00:00 2001 From: Ken Cox Date: Fri, 7 Mar 2014 13:44:47 -0600 Subject: [PATCH] Staging: unisys: Fix multiple variable length array declarations There were multiple variable length arrays declared on the stack in proc handlers: char buf[count]; I changed these to be fixed length arrays. Signed-off-by: Ken Cox Signed-off-by: Greg Kroah-Hartman --- drivers/staging/unisys/uislib/uislib.c | 39 +++++++++++++++++++----- drivers/staging/unisys/virthba/virthba.c | 5 ++- drivers/staging/unisys/virtpci/virtpci.c | 5 ++- 3 files changed, 39 insertions(+), 10 deletions(-) diff --git a/drivers/staging/unisys/uislib/uislib.c b/drivers/staging/unisys/uislib/uislib.c index b9bf7b4f6cec..8d7ff9499618 100644 --- a/drivers/staging/unisys/uislib/uislib.c +++ b/drivers/staging/unisys/uislib/uislib.c @@ -1509,9 +1509,12 @@ vnic_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { int action = 0xffff, busNo = 0, i, result = 0; - char buf[count]; + char buf[4]; char direction; /* GUID guid; */ + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + if (copy_from_user(buf, buffer, count)) { LOGERR("echo > /proc/uislib/vnic copy_from_user ****FAILED.\n"); return -EFAULT; @@ -1566,9 +1569,12 @@ chipset_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { int i, action = 0xffff; - char buf[count]; + char buf[4]; CONTROLVM_MESSAGE msg; + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + memset(&msg, 0, sizeof(CONTROLVM_MESSAGE)); if (copy_from_user(buf, buffer, count)) { @@ -1811,10 +1817,13 @@ bus_proc_write(struct file *file, const char __user *buffer, { int server_flag = 0; int i, action = 0xffff, result; - char buf[count]; + char buf[16]; CONTROLVM_MESSAGE msg; U32 busNo, deviceCount; + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + memset(&msg, 0, sizeof(CONTROLVM_MESSAGE)); if (copy_from_user(buf, buffer, count)) { @@ -1892,10 +1901,13 @@ dev_proc_write(struct file *file, const char __user *buffer, int server_flag = 0; CONTROLVM_MESSAGE msg; U32 busNo, devNo; - char buf[count]; + char buf[32]; unsigned int chanptr; int type, i, action = 0xffff, result; + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + if (copy_from_user(buf, buffer, count)) { LOGERR("echo > /proc/uislib/device: copy_from_user ****FAILED."); return -EFAULT; @@ -1985,7 +1997,7 @@ static ssize_t cycles_before_wait_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { - char buf[count]; + char buf[16]; #define CYCLES_BEFORE_WAIT_USE_ERROR { \ LOGERR("Incorrect Call Home Input.\n"); \ @@ -1993,6 +2005,8 @@ cycles_before_wait_proc_write(struct file *file, const char __user *buffer, pr_info("EventID Category Type[parameter1][parameter2][parameter3][parameter4][parameter5][parameter6]\n"); \ return -EFAULT; \ } + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; if (count == 0) CYCLES_BEFORE_WAIT_USE_ERROR; @@ -2014,7 +2028,7 @@ static ssize_t reset_counts_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { - char buf[count]; + char buf[16]; unsigned long long new_value; struct bus_info *bus; int i; @@ -2026,6 +2040,9 @@ reset_counts_proc_write(struct file *file, const char __user *buffer, return -EFAULT; \ } + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + if (count == 0) RESET_COUNTS_USE_ERROR; @@ -2061,7 +2078,7 @@ static ssize_t smart_wakeup_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { - char buf[count]; + char buf[16]; int new_value; #define SMART_WAKEUP_USE_ERROR { \ @@ -2071,6 +2088,9 @@ smart_wakeup_proc_write(struct file *file, const char __user *buffer, return -EFAULT; \ } + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + if (count == 0) SMART_WAKEUP_USE_ERROR; @@ -2092,10 +2112,13 @@ test_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { int i, action = 0xffff; - char buf[count]; + char buf[16]; CONTROLVM_MESSAGE msg; S64 vrtc_offset; + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + memset(&msg, 0, sizeof(CONTROLVM_MESSAGE)); if (copy_from_user(buf, buffer, count)) { diff --git a/drivers/staging/unisys/virthba/virthba.c b/drivers/staging/unisys/virthba/virthba.c index 277851fff443..cac25325fbf0 100644 --- a/drivers/staging/unisys/virthba/virthba.c +++ b/drivers/staging/unisys/virthba/virthba.c @@ -1493,9 +1493,12 @@ static ssize_t rqwu_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { - char buf[count]; + char buf[16]; int i, usecs; + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + if (copy_from_user(buf, buffer, count)) { LOGERR("copy_from_user failed. buf<<%.*s>> count<<%lu>>\n", (int) count, buf, count); diff --git a/drivers/staging/unisys/virtpci/virtpci.c b/drivers/staging/unisys/virtpci/virtpci.c index 5700e4b36860..0c15932c2443 100644 --- a/drivers/staging/unisys/virtpci/virtpci.c +++ b/drivers/staging/unisys/virtpci/virtpci.c @@ -1488,7 +1488,7 @@ static ssize_t info_proc_read(struct file *file, char __user *buf, static ssize_t virt_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { - char buf[count]; + char buf[16]; int type, i, action = 0xffff; unsigned int busno, deviceno; void *chanptr; @@ -1518,6 +1518,9 @@ static ssize_t virt_proc_write(struct file *file, const char __user *buffer, return -EINVAL; \ } + if (count >= ARRAY_SIZE(buf)) + return -EINVAL; + if (copy_from_user(buf, buffer, count)) { LOGERR("copy_from_user failed.\n"); return -EFAULT; -- 2.20.1