Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Staging: bcm: Add min/max restrictions for IOCTL_BCM_REGISTER_READ_PRIVATE

This patch fixes two issues within bcm/Bcmchar.c. The
first condition in the or statement checks if variable
IoBuffer.OutputLength, defined from user space, is
greater than the maximum value allowed for an
unsigned short. IoBuffer.OutputLength is then used
in a kmalloc call to return a pointer to memory. If
this size is greater than an unsigned short, it
becomes useless. The second condition in the or statement
checks if the same variable, IoBuffer.OutputLength is
equal to zero before invoking the kmalloc call. In
this case, if a zero size is sent to kmalloc, a valid
pointer to memory is returned instead of the expected NULL.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kevin McKinney 14 years ago
parent
d515d0ff36
commit
0a2cc4977f
1 changed files with 5 additions and 1 deletions
Unified View Show Diff Stats
  1. 5 1
      drivers/staging/bcm/Bcmchar.c

+ 5 - 1
drivers/staging/bcm/Bcmchar.c
View File 

@@ -216,7 +216,11 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 
 		if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
 
 		if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
 
 			return -EFAULT;
 
 			return -EFAULT;
 
 
 
-		/* FIXME: need to restrict BuffLen */
 
+		if (IoBuffer.OutputLength > USHRT_MAX ||
 
+			IoBuffer.OutputLength == 0) {
 
+			return -EINVAL;
 
+		}
 
+
 
 		Bufflen = IoBuffer.OutputLength + (4 - IoBuffer.OutputLength%4)%4;
 
 		Bufflen = IoBuffer.OutputLength + (4 - IoBuffer.OutputLength%4)%4;
 
 		temp_buff = kmalloc(Bufflen, GFP_KERNEL);
 
 		temp_buff = kmalloc(Bufflen, GFP_KERNEL);
 
 		if (!temp_buff)
 
 		if (!temp_buff)