From 9638b67ba25b4a008767fca3b6f52d24400a8d1d Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sat, 29 Oct 2011 10:20:20 +0300 Subject: [PATCH] Staging: sep: potential buffer overflow in ioctl tail_size is determined by several variables that come from the user so we should verify that it's not too large. Signed-off-by: Dan Carpenter Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman --- drivers/staging/sep/sep_driver.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/sep/sep_driver.c b/drivers/staging/sep/sep_driver.c index 8ac3faea2d2f..e624e2874902 100644 --- a/drivers/staging/sep/sep_driver.c +++ b/drivers/staging/sep/sep_driver.c @@ -2120,6 +2120,8 @@ static int sep_prepare_input_output_dma_table_in_dcb(struct sep_device *sep, } } if (tail_size) { + if (tail_size > sizeof(dcb_table_ptr->tail_data)) + return -EINVAL; if (is_kva == true) { memcpy(dcb_table_ptr->tail_data, (void *)(app_in_address + data_in_size - -- 2.20.1