lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Staging: bcm: Add size minimum size restrictions for IOCTL_IDLE_REQ

Browse Source 
If IoBuffer.InputLength is zero then this will cause an Oops when
we dereference the ZERO_SIZE_PTR.  Or if it's smaller than
sizeof(struct link_request) then we would get memory corruption
when we set ->PLength in CopyBufferToControlPacket().

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Kevin McKinney
2011-09-18 18:34:46 -04:00
committed by Greg Kroah-Hartman
parent 7518b9b8fc
commit 5ac5bd8754
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/staging/bcm/Bcmchar.c
View File

@@ -687,7 +687,9 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER))) if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
return -EFAULT; return -EFAULT;
/* FIXME: don't accept any length from user */ if (IoBuffer.InputLength < sizeof(struct link_request))
return -EINVAL;
pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL); pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL);
if (!pvBuffer) if (!pvBuffer)
return -ENOMEM; return -ENOMEM;