Staging: unisys: Fix multiple variable length array declarations

There were multiple variable length arrays declared on the stack in proc
handlers:
	char buf[count];

I changed these to be fixed length arrays.

Signed-off-by: Ken Cox <jkc@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/unisys/uislib/uislib.c b/drivers/staging/unisys/uislib/uislib.c
index b9bf7b4f6cecb78a08f69daa2378b95208044e79..8d7ff94996185d20de148e794a28e32ee8f590cc 100644 (file)
--- a/drivers/staging/unisys/uislib/uislib.c
+++ b/drivers/staging/unisys/uislib/uislib.c
@@ -1509,9 +1509,12 @@ vnic_proc_write(struct file *file, const char __user *buffer,
                size_t count, loff_t *ppos)
 {
        int action = 0xffff, busNo = 0, i, result = 0;
-       char buf[count];
+       char buf[4];
        char direction;
 /* GUID guid; */
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        if (copy_from_user(buf, buffer, count)) {
                LOGERR("echo > /proc/uislib/vnic copy_from_user ****FAILED.\n");
                return -EFAULT;
@@ -1566,9 +1569,12 @@ chipset_proc_write(struct file *file, const char __user *buffer,
                   size_t count, loff_t *ppos)
 {
        int i, action = 0xffff;
-       char buf[count];
+       char buf[4];
        CONTROLVM_MESSAGE msg;
 
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        memset(&msg, 0, sizeof(CONTROLVM_MESSAGE));
 
        if (copy_from_user(buf, buffer, count)) {
@@ -1811,10 +1817,13 @@ bus_proc_write(struct file *file, const char __user *buffer,
 {
        int server_flag = 0;
        int i, action = 0xffff, result;
-       char buf[count];
+       char buf[16];
        CONTROLVM_MESSAGE msg;
        U32 busNo, deviceCount;
 
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        memset(&msg, 0, sizeof(CONTROLVM_MESSAGE));
 
        if (copy_from_user(buf, buffer, count)) {
@@ -1892,10 +1901,13 @@ dev_proc_write(struct file *file, const char __user *buffer,
        int server_flag = 0;
        CONTROLVM_MESSAGE msg;
        U32 busNo, devNo;
-       char buf[count];
+       char buf[32];
        unsigned int chanptr;
        int type, i, action = 0xffff, result;
 
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        if (copy_from_user(buf, buffer, count)) {
                LOGERR("echo > /proc/uislib/device: copy_from_user ****FAILED.");
                return -EFAULT;
@@ -1985,7 +1997,7 @@ static ssize_t
 cycles_before_wait_proc_write(struct file *file, const char __user *buffer,
                              size_t count, loff_t *ppos)
 {
-       char buf[count];
+       char buf[16];
 
 #define CYCLES_BEFORE_WAIT_USE_ERROR  { \
        LOGERR("Incorrect Call Home Input.\n"); \
@@ -1993,6 +2005,8 @@ cycles_before_wait_proc_write(struct file *file, const char __user *buffer,
        pr_info("EventID Category Type[parameter1][parameter2][parameter3][parameter4][parameter5][parameter6]\n"); \
        return -EFAULT; \
 }
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
 
        if (count == 0)
                CYCLES_BEFORE_WAIT_USE_ERROR;
@@ -2014,7 +2028,7 @@ static ssize_t
 reset_counts_proc_write(struct file *file, const char __user *buffer,
                        size_t count, loff_t *ppos)
 {
-       char buf[count];
+       char buf[16];
        unsigned long long new_value;
        struct bus_info *bus;
        int i;
@@ -2026,6 +2040,9 @@ reset_counts_proc_write(struct file *file, const char __user *buffer,
        return -EFAULT; \
        }
 
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        if (count == 0)
                RESET_COUNTS_USE_ERROR;
 
@@ -2061,7 +2078,7 @@ static ssize_t
 smart_wakeup_proc_write(struct file *file, const char __user *buffer,
                        size_t count, loff_t *ppos)
 {
-       char buf[count];
+       char buf[16];
        int new_value;
 
 #define SMART_WAKEUP_USE_ERROR  { \
@@ -2071,6 +2088,9 @@ smart_wakeup_proc_write(struct file *file, const char __user *buffer,
        return -EFAULT; \
        }
 
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        if (count == 0)
                SMART_WAKEUP_USE_ERROR;
 
@@ -2092,10 +2112,13 @@ test_proc_write(struct file *file, const char __user *buffer,
                size_t count, loff_t *ppos)
 {
        int i, action = 0xffff;
-       char buf[count];
+       char buf[16];
        CONTROLVM_MESSAGE msg;
        S64 vrtc_offset;
 
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        memset(&msg, 0, sizeof(CONTROLVM_MESSAGE));
 
        if (copy_from_user(buf, buffer, count)) {

diff --git a/drivers/staging/unisys/virthba/virthba.c b/drivers/staging/unisys/virthba/virthba.c
index 277851fff443e809cadc0f3bc1e294eb2dc31e7a..cac25325fbf0c24be0ffd76d46f72b4595770b1d 100644 (file)
--- a/drivers/staging/unisys/virthba/virthba.c
+++ b/drivers/staging/unisys/virthba/virthba.c
@@ -1493,9 +1493,12 @@ static ssize_t
 rqwu_proc_write(struct file *file, const char __user *buffer,
                size_t count, loff_t *ppos)
 {
-       char buf[count];
+       char buf[16];
        int i, usecs;
 
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        if (copy_from_user(buf, buffer, count)) {
                LOGERR("copy_from_user failed. buf<<%.*s>> count<<%lu>>\n",
                       (int) count, buf, count);

diff --git a/drivers/staging/unisys/virtpci/virtpci.c b/drivers/staging/unisys/virtpci/virtpci.c
index 5700e4b36860a186a42128fe8d31113b772f37c6..0c15932c2443a8284b189dc8f2f3136dacb27d66 100644 (file)
--- a/drivers/staging/unisys/virtpci/virtpci.c
+++ b/drivers/staging/unisys/virtpci/virtpci.c
@@ -1488,7 +1488,7 @@ static ssize_t info_proc_read(struct file *file, char __user *buf,
 static ssize_t virt_proc_write(struct file *file, const char __user *buffer,
                               size_t count, loff_t *ppos)
 {
-       char buf[count];
+       char buf[16];
        int type, i, action = 0xffff;
        unsigned int busno, deviceno;
        void *chanptr;
@@ -1518,6 +1518,9 @@ static ssize_t virt_proc_write(struct file *file, const char __user *buffer,
        return -EINVAL; \
 }
 
+       if (count >= ARRAY_SIZE(buf))
+               return -EINVAL;
+
        if (copy_from_user(buf, buffer, count)) {
                LOGERR("copy_from_user failed.\n");
                return -EFAULT;