ChangeSet 1.1796, 2004/04/14 14:30:34-07:00, [EMAIL PROTECTED]
[PATCH] USB: fix CAN-2004-0075
Okay, now while we are at fixing security holes, is there any chance we
can _finally_ get the attached patch in?
The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the
copy_from_user function when copying data from userspace to kernel space,
which crosses security boundaries and allows local users to cause a denial
of service.
Already ACKed by Greg. Only complaint was inproper coding style which is done
with attached patch ;)
ciao, Marc
drivers/usb/media/vicam.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)
diff -Nru a/drivers/usb/media/vicam.c b/drivers/usb/media/vicam.c
--- a/drivers/usb/media/vicam.c Wed Apr 14 14:32:40 2004
+++ b/drivers/usb/media/vicam.c Wed Apr 14 14:32:40 2004
@@ -653,12 +653,18 @@
case VIDIOCSWIN:
{
- struct video_window *vw = (struct video_window *) arg;
- DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+ struct video_window vw;
- if ( vw->width != 320 || vw->height != 240 )
+ if (copy_from_user(&vw, arg, sizeof(vw))) {
retval = -EFAULT;
+ break;
+ }
+
+ DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+ if ( vw.width != 320 || vw.height != 240 )
+ retval = -EFAULT;
+
break;
}
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id�70&alloc_id638&op=click
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
