[PATCH v3] Staging: bcm: Fix potential buffer overflow and style cleanups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



bcm driver copies from userpace with the following statement:

copy_from_user(&RxCntrlMsgBitMask, IoBuffer.InputBuffer, IoBuffer.InputLength);

Compiling gives the following warning:

at drivers/staging/bcm/Bcmchar.c:2030:
linux-next/arch/x86/include/asm/uaccess_32.h:212: warning: call to
copy_from_user_overflow declared with attribute warning: copy_from_user()
buffer size is not provably correct.

RxCntrlMsgBitMask is of type unsigned long so we have to check that
IoBuffer.InputLength is equal to sizeof(unsigned long).

Signed-off-by: Javier Martinez Canillas <martinez.javier@xxxxxxxxx>
---

 V2: Check the user provided length recommended by Stephen Hemminger
     Check for copy_from_user() and return -EFAULT; do not use ULONG and 
     get rid of unnecessary log information recommended by Dan Carpenter.
 V3: Check that user provided length is equal to sizeof(unsigned long) 
     recommended by Dan Carpenter. Also, get rid of the innecesary scope 
     brackets in the switch case.

 drivers/staging/bcm/Bcmchar.c |   46 +++++++++++++++++++++++-----------------
 1 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 31674ea..efea42e 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -163,6 +163,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 	INT  			Status = STATUS_FAILURE;
 	int timeout = 0;
 	IOCTL_BUFFER 	IoBuffer;
+	unsigned long RxCntrlMsgBitMask;
 
 	BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Parameters Passed to control IOCTL cmd=0x%X arg=0x%lX", cmd, arg);
 
@@ -2015,28 +2016,33 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 				break ;
 			 }
 
-		case IOCTL_BCM_CNTRLMSG_MASK:
-			 {
-				ULONG RxCntrlMsgBitMask = 0 ;
+	case IOCTL_BCM_CNTRLMSG_MASK:
+		RxCntrlMsgBitMask = 0;
+		/* Copy Ioctl Buffer structure */
+		Status = copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
+		if (Status) {
+			BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,
+					"copy of Ioctl buffer is failed from user space");
+			Status = -EFAULT;
+			break;
+		}
 
-				/* Copy Ioctl Buffer structure */
-				Status = copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
-				if(Status)
-				{
-					BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of Ioctl buffer is failed from user space");
-					break;
-				}
+		if (IoBuffer.InputLength != sizeof(unsigned long)) {
+			Status = -EINVAL;
+			break;
+		}
 
-				Status = copy_from_user(&RxCntrlMsgBitMask, IoBuffer.InputBuffer, IoBuffer.InputLength);
-				if(Status)
-				{
-					BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of control bit mask failed from user space");
-					break;
-				}
-				BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"\n Got user defined cntrl msg bit mask :%lx", RxCntrlMsgBitMask);
-				pTarang->RxCntrlMsgBitMask = RxCntrlMsgBitMask ;
-			 }
-			 break;
+		Status = copy_from_user(&RxCntrlMsgBitMask, IoBuffer.InputBuffer,
+					IoBuffer.InputLength);
+		if (Status) {
+			BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,
+					"copy of control bit mask failed from user space");
+			Status = -EFAULT;
+			break;
+		}
+
+		pTarang->RxCntrlMsgBitMask = RxCntrlMsgBitMask;
+		break;
 			case IOCTL_BCM_GET_DEVICE_DRIVER_INFO:
 			{
 				DEVICE_DRIVER_INFO DevInfo;
-- 
1.7.0.4

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel


[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux