Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()

The function c4_ioctl() writes data from user in ifr->ifr_data
to the kernel struct data arg, without any iolen bounds checking.
This can lead to a arbitrary write outside of the struct data arg.
Corrected by adding bounds-checking of iolen before the copy_from_user().

Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Salva Peiró 11 years ago
parent
0414855fdc
commit
084b6e7765
1 changed files with 2 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      drivers/staging/cxt1e1/linux.c

+ 2 - 0
drivers/staging/cxt1e1/linux.c
View File 

@@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd)
 
             _IOC_SIZE (iocmd));
 
 #endif
 
     iolen = _IOC_SIZE (iocmd);
 
+    if (iolen > sizeof(arg))
 
+        return -EFAULT;
 
     data = ifr->ifr_data + sizeof (iocmd);
 
     if (copy_from_user (&arg, data, iolen))
 
         return -EFAULT;