On Sun, Dec 03, 2017 at 04:17:26PM +0100, Simon Sandström wrote:
> diff --git a/drivers/staging/pi433/pi433_if.h b/drivers/staging/pi433/pi433_if.h
> index 34ff0d4807bd..bcfe29840889 100644
> --- a/drivers/staging/pi433/pi433_if.h
> +++ b/drivers/staging/pi433/pi433_if.h
> @@ -63,7 +63,7 @@ struct pi433_tx_cfg {
> __u16 bit_rate;
> __u32 dev_frequency;
> enum modulation modulation;
> - enum modShaping modShaping;
> + enum mod_shaping mod_shaping;
>
I looked at how mod_shaping is set and the only place is in the ioctl:
789 case PI433_IOC_WR_TX_CFG:
790 if (copy_from_user(&instance->tx_cfg, argp,
791 sizeof(struct pi433_tx_cfg)))
792 return -EFAULT;
793 break;
We just write over the whole config. Including important things like
rx_cfg.fixed_message_length. There is no locking so when we do things
like:
385 /* fixed or unlimited length? */
386 if (dev->rx_cfg.fixed_message_length != 0)
387 {
388 if (dev->rx_cfg.fixed_message_length > dev->rx_buffer_size)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
check
389 {
390 retval = -1;
391 goto abort;
392 }
393 bytes_total = dev->rx_cfg.fixed_message_length;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
set this in the ioctl after the check but before this line and it looks
like a security problem.
394 dev_dbg(dev->dev,"rx: msg len set to %d by fixed length", bytes_total);
395 }
Anyway, I guess this patch is fine.
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
