projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2322697)
Staging: sep: potential buffer overflow in ioctl
authorDan Carpenter <dan.carpenter@oracle.com>
Sat, 29 Oct 2011 07:20:20 +0000 (10:20 +0300)
committerGreg Kroah-Hartman <gregkh@suse.de>
Sun, 27 Nov 2011 01:23:57 +0000 (17:23 -0800)
tail_size is determined by several variables that come from the user
so we should verify that it's not too large.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/sep/sep_driver.c patch | blob | history

diff --git a/drivers/staging/sep/sep_driver.c b/drivers/staging/sep/sep_driver.c
index 8ac3faea2d2ffa64e6212d9488090b95b35e93fd..e624e28749029f16c9fa83b542d21099d1918b24 100644 (file)
--- a/drivers/staging/sep/sep_driver.c
+++ b/drivers/staging/sep/sep_driver.c
@@ -2120,6 +2120,8 @@ static int sep_prepare_input_output_dma_table_in_dcb(struct sep_device *sep,
                        }
                }
                if (tail_size) {
+                       if (tail_size > sizeof(dcb_table_ptr->tail_data))
+                               return -EINVAL;
                        if (is_kva == true) {
                                memcpy(dcb_table_ptr->tail_data,
                                        (void *)(app_in_address + data_in_size -
John Crispins staging tree