This patch verifies two conditions before executing a kmalloc call. First, it checks to see that IoBuffer.OutputLength is not greater than an unsigned short. If so, an invalid value may be returned. The second change is a check to make sure IoBuffer.OutputLength is not equal to zero. Which simply keeps this code inline with the other ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE.
Signed-off-by: Kevin McKinney <[email protected]> --- drivers/staging/bcm/Bcmchar.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index e110d0e..7cffbdd 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -306,7 +306,11 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength)) return -EFAULT; - /* FIXME: don't trust user supplied length */ + if (IoBuffer.OutputLength > USHRT_MAX || + IoBuffer.OutputLength == 0) { + return -EINVAL; + } + temp_buff = kmalloc(IoBuffer.OutputLength, GFP_KERNEL); if (!temp_buff) return STATUS_FAILURE; -- 1.7.4.1 _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
