From: Javier Martinez Canillas <martinez.javier@xxxxxxxxx>
bcm driver copies a buffer length provided by userpace without checking it.
RxCntrlMsgBitMask is of type unsigned long so only makes sense to copy
sizeof(unsigned long) bytes.
Also, copy_from_user() returns the number of bytes that could not be copied.
The driver is returning that value as error code instead of -EFAULT.
This patch solves both issues.
Signed-off-by: Javier Martinez Canillas <martinez.javier@xxxxxxxxx>
Cc: Stephen Hemminger <shemminger@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
drivers/staging/bcm/Bcmchar.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 31674ea..7dff283 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -2024,6 +2024,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of Ioctl buffer is failed from user space");
+ Status = -EFAULT;
+ break;
+ }
+
+ if (IoBuffer.InputLength != sizeof(unsigned long)) {
+ Status = -EINVAL;
break;
}
@@ -2031,6 +2037,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of control bit mask failed from user space");
+ Status = -EFAULT;
break;
}
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"\n Got user defined cntrl msg bit mask :%lx", RxCntrlMsgBitMask);
--
1.7.4.1
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
