[PATCH 049/510] beceem: don't overrun user buffer on read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Stephen Hemminger <stephen.hemminger@xxxxxxxxxx>

Serious bug in original code, if app reads 10 bytes but 20 byte msg
received memory would get overwritten.

Signed-off-by: Stephen Hemminger <shemminger@xxxxxxxxxx>
---
 drivers/staging/bcm/Bcmchar.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 1a25560..8089d19 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -139,7 +139,7 @@ static ssize_t bcm_char_read(struct file *filp, char __user *buf, size_t size, l
 	if(Packet)
 	{
 		PktLen = Packet->len;
-		if(copy_to_user(buf, Packet->data, PktLen))
+		if(copy_to_user(buf, Packet->data, min_t(size_t, PktLen, size)))
 		{
 			dev_kfree_skb(Packet);
 			BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "\nReturning from copy to user failure \n");
-- 
1.7.3.2

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux