aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKevin McKinney <klmckinney1@gmail.com>2011-12-14 22:44:33 -0500
committerGreg Kroah-Hartman <gregkh@suse.de>2011-12-22 16:32:45 -0500
commitb72a7c859efc9e0cf13600b30a555457a08dd86f (patch)
tree3d284a1e03b1725c5c0f1f6d19a67d9a9f188d19
parentd1840eda7add1d0fdee5cf7ad2ac7ad0f656eecb (diff)
Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION
This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is responsible for sending the driver version to userspace. However, the requested size stored in IoBuffer.OutputLength may be incorrect. Therefore, we altered the code to send the exact length of the version, plus one for the null character. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/staging/bcm/Bcmchar.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index c4d7a6194180..fa4a854ba054 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -999,11 +999,15 @@ cntrlEnd:
999 } 999 }
1000 1000
1001 case IOCTL_BCM_GET_DRIVER_VERSION: { 1001 case IOCTL_BCM_GET_DRIVER_VERSION: {
1002 ulong len;
1003
1002 /* Copy Ioctl Buffer structure */ 1004 /* Copy Ioctl Buffer structure */
1003 if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER))) 1005 if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
1004 return -EFAULT; 1006 return -EFAULT;
1005 1007
1006 if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength)) 1008 len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
1009
1010 if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len))
1007 return -EFAULT; 1011 return -EFAULT;
1008 Status = STATUS_SUCCESS; 1012 Status = STATUS_SUCCESS;
1009 break; 1013 break;