This patch fixes two issues within bcm/Bcmchar.c. The first change checks if variable IoBuffer.OutputLength, defined from user space, is greater than the maximum value allowed for an unsigned short. IoBuffer.OutputLength is then used in a kmalloc call to return a pointer to memory. If this size is greater than an unsigned short, it becomes useless. The second change checks if the same variable, IoBuffer.OutputLength is equal to zero before invoking the kmalloc call. In this case, if a zero size is sent to kmalloc, a valid pointer to memory is returned instead of the expected NULL. Signed-off-by: Kevin McKinney <klmckinney1@xxxxxxxxx> --- drivers/staging/bcm/Bcmchar.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 4c43353..8a1f9e7 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -216,7 +216,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength)) return -EFAULT; - /* FIXME: need to restrict BuffLen */ + if (IoBuffer.OutputLength == 0) + return -EINVAL; + + if (IoBuffer.OutputLength > USHRT_MAX) + return -EINVAL; + Bufflen = IoBuffer.OutputLength + (4 - IoBuffer.OutputLength%4)%4; temp_buff = kmalloc(Bufflen, GFP_KERNEL); if (!temp_buff) -- 1.7.4.1 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
