Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION

This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is
responsible for sending the driver version
to userspace. However, the requested size stored
in IoBuffer.OutputLength may be incorrect.
Therefore, we altered the code to send the
exact length of the version, plus one for the
null character.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/staging/bcm/Bcmchar.c

@@ -999,11 +999,15 @@ cntrlEnd:
 	}
 
 	case IOCTL_BCM_GET_DRIVER_VERSION: {
+		ulong len;
+
 		/* Copy Ioctl Buffer structure */
 		if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
 			return -EFAULT;
 
-		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
+		len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
+
+		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len))
 			return -EFAULT;
 		Status = STATUS_SUCCESS;
 		break;