There were multiple variable length arrays declared on the stack in proc
handlers:
char buf[count];
I changed these to be fixed length arrays.
Signed-off-by: Ken Cox <jkc@xxxxxxxxxx>
---
drivers/staging/unisys/uislib/uislib.c | 39 +++++++++++++++++++++++++-------
drivers/staging/unisys/virthba/virthba.c | 5 +++-
drivers/staging/unisys/virtpci/virtpci.c | 5 +++-
3 files changed, 39 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/unisys/uislib/uislib.c b/drivers/staging/unisys/uislib/uislib.c
index b9bf7b4..8d7ff94 100644
--- a/drivers/staging/unisys/uislib/uislib.c
+++ b/drivers/staging/unisys/uislib/uislib.c
@@ -1509,9 +1509,12 @@ vnic_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
int action = 0xffff, busNo = 0, i, result = 0;
- char buf[count];
+ char buf[4];
char direction;
/* GUID guid; */
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
if (copy_from_user(buf, buffer, count)) {
LOGERR("echo > /proc/uislib/vnic copy_from_user ****FAILED.\n");
return -EFAULT;
@@ -1566,9 +1569,12 @@ chipset_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
int i, action = 0xffff;
- char buf[count];
+ char buf[4];
CONTROLVM_MESSAGE msg;
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
memset(&msg, 0, sizeof(CONTROLVM_MESSAGE));
if (copy_from_user(buf, buffer, count)) {
@@ -1811,10 +1817,13 @@ bus_proc_write(struct file *file, const char __user *buffer,
{
int server_flag = 0;
int i, action = 0xffff, result;
- char buf[count];
+ char buf[16];
CONTROLVM_MESSAGE msg;
U32 busNo, deviceCount;
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
memset(&msg, 0, sizeof(CONTROLVM_MESSAGE));
if (copy_from_user(buf, buffer, count)) {
@@ -1892,10 +1901,13 @@ dev_proc_write(struct file *file, const char __user *buffer,
int server_flag = 0;
CONTROLVM_MESSAGE msg;
U32 busNo, devNo;
- char buf[count];
+ char buf[32];
unsigned int chanptr;
int type, i, action = 0xffff, result;
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
if (copy_from_user(buf, buffer, count)) {
LOGERR("echo > /proc/uislib/device: copy_from_user ****FAILED.");
return -EFAULT;
@@ -1985,7 +1997,7 @@ static ssize_t
cycles_before_wait_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
- char buf[count];
+ char buf[16];
#define CYCLES_BEFORE_WAIT_USE_ERROR { \
LOGERR("Incorrect Call Home Input.\n"); \
@@ -1993,6 +2005,8 @@ cycles_before_wait_proc_write(struct file *file, const char __user *buffer,
pr_info("EventID Category Type[parameter1][parameter2][parameter3][parameter4][parameter5][parameter6]\n"); \
return -EFAULT; \
}
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
if (count == 0)
CYCLES_BEFORE_WAIT_USE_ERROR;
@@ -2014,7 +2028,7 @@ static ssize_t
reset_counts_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
- char buf[count];
+ char buf[16];
unsigned long long new_value;
struct bus_info *bus;
int i;
@@ -2026,6 +2040,9 @@ reset_counts_proc_write(struct file *file, const char __user *buffer,
return -EFAULT; \
}
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
if (count == 0)
RESET_COUNTS_USE_ERROR;
@@ -2061,7 +2078,7 @@ static ssize_t
smart_wakeup_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
- char buf[count];
+ char buf[16];
int new_value;
#define SMART_WAKEUP_USE_ERROR { \
@@ -2071,6 +2088,9 @@ smart_wakeup_proc_write(struct file *file, const char __user *buffer,
return -EFAULT; \
}
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
if (count == 0)
SMART_WAKEUP_USE_ERROR;
@@ -2092,10 +2112,13 @@ test_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
int i, action = 0xffff;
- char buf[count];
+ char buf[16];
CONTROLVM_MESSAGE msg;
S64 vrtc_offset;
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
memset(&msg, 0, sizeof(CONTROLVM_MESSAGE));
if (copy_from_user(buf, buffer, count)) {
diff --git a/drivers/staging/unisys/virthba/virthba.c b/drivers/staging/unisys/virthba/virthba.c
index 277851f..cac2532 100644
--- a/drivers/staging/unisys/virthba/virthba.c
+++ b/drivers/staging/unisys/virthba/virthba.c
@@ -1493,9 +1493,12 @@ static ssize_t
rqwu_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
- char buf[count];
+ char buf[16];
int i, usecs;
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
if (copy_from_user(buf, buffer, count)) {
LOGERR("copy_from_user failed. buf<<%.*s>> count<<%lu>>\n",
(int) count, buf, count);
diff --git a/drivers/staging/unisys/virtpci/virtpci.c b/drivers/staging/unisys/virtpci/virtpci.c
index 5700e4b..0c15932 100644
--- a/drivers/staging/unisys/virtpci/virtpci.c
+++ b/drivers/staging/unisys/virtpci/virtpci.c
@@ -1488,7 +1488,7 @@ static ssize_t info_proc_read(struct file *file, char __user *buf,
static ssize_t virt_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
- char buf[count];
+ char buf[16];
int type, i, action = 0xffff;
unsigned int busno, deviceno;
void *chanptr;
@@ -1518,6 +1518,9 @@ static ssize_t virt_proc_write(struct file *file, const char __user *buffer,
return -EINVAL; \
}
+ if (count >= ARRAY_SIZE(buf))
+ return -EINVAL;
+
if (copy_from_user(buf, buffer, count)) {
LOGERR("copy_from_user failed.\n");
return -EFAULT;
--
1.8.5.3
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
