firewire: check cdev response length

Add a check that the data length in the SEND_RESPONSE ioctl is correct.
Incidentally, this also fixes the previously wrong response length of
software-handled lock requests.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

1 files changed, 6 insertions, 3 deletions

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9d1a1a1a83c9..50332b84f49a 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -756,9 +756,12 @@ static int ioctl_send_response(struct client *client, union ioctl_arg *arg)
         if (is_fcp_request(r->request))
                 goto out;
 
-        if (a->length < r->length)
-                r->length = a->length;
-        if (copy_from_user(r->data, u64_to_uptr(a->data), r->length)) {
+        if (a->length != fw_get_response_length(r->request)) {
+                ret = -EINVAL;
+                kfree(r->request);
+                goto out;
+        }
+        if (copy_from_user(r->data, u64_to_uptr(a->data), a->length)) {
                 ret = -EFAULT;
                 kfree(r->request);
                 goto out;