On Sun, 2011-09-25 at 21:15 -0400, Kevin McKinney wrote:
> This patch fixes two issues within bcm/Bcmchar.c.
[]
> diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
[]
> @@ -216,7 +216,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd,
> ULONG arg)
> if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer,
> IoBuffer.InputLength))
> return -EFAULT;
>
> - /* FIXME: need to restrict BuffLen */
> + if (IoBuffer.OutputLength == 0)
> + return -EINVAL;
> +
> + if (IoBuffer.OutputLength > USHRT_MAX)
> + return -EINVAL;
It's reasonable and shorter to combine these tests.
if (IoBuffer.OutputLength == 0 ||
IoBuffer.OutputLength > USHRT_MAX)
return -EINVAL;
> +
> Bufflen = IoBuffer.OutputLength + (4 -
> IoBuffer.OutputLength%4)%4;
Not your issue, but because it's near the patched bits:
Because of the two modulos, this is not straightforward.
Perhaps a temporary helps.
Bufflen = IoBuffer.OutputLength;
u16 extra = Bufflen % 4;
if (extra)
Bufflen += 4 - extra;
> temp_buff = kmalloc(Bufflen, GFP_KERNEL);
> if (!temp_buff)
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
