From 9c5d77009db6ff09d02a7b0a99a70c0dfd3af6c6 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 1 Nov 2010 13:59:01 -0400 Subject: [PATCH] beceem: don't overrun user buffer on read Serious bug in original code, if app reads 10 bytes but 20 byte msg received memory would get overwritten. Signed-off-by: Stephen Hemminger --- drivers/staging/bcm/Bcmchar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 1a255609aeda..8089d19e6c1b 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -139,7 +139,7 @@ static ssize_t bcm_char_read(struct file *filp, char __user *buf, size_t size, l if(Packet) { PktLen = Packet->len; - if(copy_to_user(buf, Packet->data, PktLen)) + if(copy_to_user(buf, Packet->data, min_t(size_t, PktLen, size))) { dev_kfree_skb(Packet); BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "\nReturning from copy to user failure \n"); -- 2.20.1