On Fri, Jul 25, 2014 at 01:07:40AM +0200, Guillaume Clement wrote:
> diff --git a/drivers/staging/vt6655/iwctl.c b/drivers/staging/vt6655/iwctl.c
> index 501cd64..9291259 100644
> --- a/drivers/staging/vt6655/iwctl.c
> +++ b/drivers/staging/vt6655/iwctl.c
> @@ -1621,14 +1621,17 @@ int iwctl_giwauth(struct net_device *dev,
> int iwctl_siwgenie(struct net_device *dev,
> struct iw_request_info *info,
> struct iw_point *wrq,
> - char *extra)
> + char __user *extra)
> {
> PSDevice pDevice = (PSDevice)netdev_priv(dev);
> PSMgmtObject pMgmt = &(pDevice->sMgmtObj);
> int ret = 0;
> + char length;
>
> if (wrq->length) {
> - if ((wrq->length < 2) || (extra[1]+2 != wrq->length)) {
> + if (get_user(length, extra + 1))
> + return -EFAULT;
> + if ((wrq->length < 2) || (length != wrq->length)) {
> ret = -EINVAL;
> goto out;
> }
Wow, this is confusing code. The patch description isn't clear enough
that this is a bugfix patch and not just a "tag data" patch.
I don't think this is correct. We need to check the length of the input
buffer before we call get_user(). Can we return directly or do we
*need* to go to the mysteriously named "out"? Also the + 2 is lost,
this would break everything if the current code works (not necessarily a
valid assumption). Delete all my comments in the final code.
/* 2 because we skip the first byte and read length from the
second byte */
if (wrq->length < 2) {
ret = -EINVAL;
goto out;
}
ret = get_user(length, extra + 1);
if (ret)
goto out;
if (length + 2 != wrq->length) {
ret = -EINVAL;
goto out;
}
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
