Inicio Explorar Axuda
Iniciar sesión
GfA
/
linux_kernel
5
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

Staging: bcm: Clean up code in ioctl: IOCTL_BCM_EEPROM_REGISTER_READ

This patch verifies two conditions before executing
a kmalloc call. First, it checks to see that
IoBuffer.OutputLength is not greater than an
unsigned short. If so, an invalid value may be
returned. The second change is a check to make
sure IoBuffer.OutputLength is not equal to
zero. Which simply keeps this code inline with
the other ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kevin McKinney %!s(int64=14) %!d(string=hai) anos
pai
41c7b7c0fa
achega
51935d2259
Modificáronse 1 ficheiros con 5 adicións e 1 borrados
Unificar vista Mostrar estatísticas de Diff
  1. 5 1
      drivers/staging/bcm/Bcmchar.c

+ 5 - 1
drivers/staging/bcm/Bcmchar.c
Ver ficheiro 

@@ -306,7 +306,11 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 
 		if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
 
 		if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
 
 			return -EFAULT;
 
 			return -EFAULT;
 
 
 
-		/* FIXME: don't trust user supplied length */
 
+		if (IoBuffer.OutputLength > USHRT_MAX ||
 
+			IoBuffer.OutputLength == 0) {
 
+			return -EINVAL;
 
+		}
 
+
 
 		temp_buff = kmalloc(IoBuffer.OutputLength, GFP_KERNEL);
 
 		temp_buff = kmalloc(IoBuffer.OutputLength, GFP_KERNEL);
 
 		if (!temp_buff)
 
 		if (!temp_buff)
 
 			return STATUS_FAILURE;
 
 			return STATUS_FAILURE;