On Sun, 2011-09-25 at 21:15 -0400, Kevin McKinney wrote: > This patch fixes two issues within bcm/Bcmchar.c. [] > diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c [] > @@ -216,7 +216,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) > if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength)) > return -EFAULT; > > - /* FIXME: need to restrict BuffLen */ > + if (IoBuffer.OutputLength == 0) > + return -EINVAL; > + > + if (IoBuffer.OutputLength > USHRT_MAX) > + return -EINVAL; It's reasonable and shorter to combine these tests. if (IoBuffer.OutputLength == 0 || IoBuffer.OutputLength > USHRT_MAX) return -EINVAL; > + > Bufflen = IoBuffer.OutputLength + (4 - IoBuffer.OutputLength%4)%4; Not your issue, but because it's near the patched bits: Because of the two modulos, this is not straightforward. Perhaps a temporary helps. Bufflen = IoBuffer.OutputLength; u16 extra = Bufflen % 4; if (extra) Bufflen += 4 - extra; > temp_buff = kmalloc(Bufflen, GFP_KERNEL); > if (!temp_buff) _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
