From: Dan Carpenter Date: Sat, 29 Oct 2011 07:20:20 +0000 (+0300) Subject: Staging: sep: potential buffer overflow in ioctl X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=9638b67ba25b4a008767fca3b6f52d24400a8d1d;p=openwrt%2Fstaging%2Fblogic.git Staging: sep: potential buffer overflow in ioctl tail_size is determined by several variables that come from the user so we should verify that it's not too large. Signed-off-by: Dan Carpenter Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/sep/sep_driver.c b/drivers/staging/sep/sep_driver.c index 8ac3faea2d2f..e624e2874902 100644 --- a/drivers/staging/sep/sep_driver.c +++ b/drivers/staging/sep/sep_driver.c @@ -2120,6 +2120,8 @@ static int sep_prepare_input_output_dma_table_in_dcb(struct sep_device *sep, } } if (tail_size) { + if (tail_size > sizeof(dcb_table_ptr->tail_data)) + return -EINVAL; if (is_kva == true) { memcpy(dcb_table_ptr->tail_data, (void *)(app_in_address + data_in_size -