From cb9cc9cae9ebde1148e48c9682205af8518ec0c9 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 9 Jan 2013 10:09:19 +0300 Subject: [PATCH] Staging: bcm: copying more data than intended This was changed to bcm_flash2x_cs_info instead of bcm_flash_cs_info when we got rid of the typedefs. bcm_flash2x_cs_info is quite a bit larger than bcm_flash_cs_info (436 bytes instead of 96) so it would corrupt user memory and it's an info leak. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/bcm/Bcmchar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 4ba1a5d1bf96..491e2bfbc464 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -1792,7 +1792,7 @@ cntrlEnd: if (IoBuffer.OutputLength < sizeof(struct bcm_flash_cs_info)) return -EINVAL; - if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(struct bcm_flash2x_cs_info))) + if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(struct bcm_flash_cs_info))) return -EFAULT; } } -- 2.30.2