On Thu, Dec 10, 2015 at 10:42:14AM +0100, Wim de With wrote:
> On 10-12-2015 10:37, Dan Carpenter wrote:
> > On Thu, Dec 10, 2015 at 10:11:12AM +0100, Wim de With wrote:
> >> @@ -482,8 +483,16 @@ static int gdm_wimax_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
> >> /* NOTE: gdm_update_fsm should be called
> >> * before gdm_wimax_ioctl_set_data is called.
> >> */
> >> - gdm_update_fsm(dev,
> >> - req->data.buf);
> >> + fsm_buf = kmalloc(sizeof(fsm_s), GFP_KERNEL);
> >> + if (!fsm_buf)
> >> + return -ENOMEM;
> >> + if (copy_from_user(fsm_buf, req->data.buf,
> >> + sizeof(fsm_s))) {
> >> + kfree(fsm_buf);
> >> + return -EFAULT;
> >> + }
> >> + gdm_update_fsm(dev, fsm_buf);
> >> + kfree(fsm_buf);
> >
> >
> > No. This change is a bug.
> >
> > regards,
> > dan carpenter
> >
>
> But what if I just keep it as:
>
> gdm_update_fsm(dev, req->data.buf)
>
> Then it would just trust a __user pointer right?
I appologize, I didn't read the patch carefully. This is a bugfix. Can
you resend the patch with a better patch description where you replace
the last paragraph and say:
Once I updated the Sparse annotations, I noticed a bug in
gdm_wimax_ioctl() where we pass a user space pointer to gdm_update_fsm()
which dereferences it. I fixed this.
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
