Variable IoBuffer.InputLength is chosen from userspace, and can therefore be zero. If so, then we will get a kernel Oops. To resolve this issue, this patch checks to confirm IoBuffer.InputLength is not equal to zero before invoking the kmalloc call. Signed-off-by: Kevin McKinney <klmckinney1@xxxxxxxxx> --- drivers/staging/bcm/Bcmchar.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index fa4a854..47d6818 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -1137,7 +1137,9 @@ cntrlEnd: if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER))) return -EFAULT; - /* FIXME: restrict length */ + if (IoBuffer.InputLength == 0) + return -EINVAL; + pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL); if (!pvBuffer) return -ENOMEM; -- 1.7.4.1 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
