aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSalva Peiró <speiro@ai2.upv.es>2014-03-03 02:44:04 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2014-03-04 19:20:01 -0500
commit084b6e7765b9554699afa23a50e702a3d0ae4b24 (patch)
tree50efbe4843bc48fd5220b6f02ff1add272431a7e
parent0414855fdc4a40da05221fc6062cccbc0c30f169 (diff)
staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()
The function c4_ioctl() writes data from user in ifr->ifr_data to the kernel struct data arg, without any iolen bounds checking. This can lead to a arbitrary write outside of the struct data arg. Corrected by adding bounds-checking of iolen before the copy_from_user(). Signed-off-by: Salva Peiró <speiro@ai2.upv.es> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/staging/cxt1e1/linux.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c
index 4a08e16e42f7..79206cb3fb94 100644
--- a/drivers/staging/cxt1e1/linux.c
+++ b/drivers/staging/cxt1e1/linux.c
@@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd)
866 _IOC_SIZE (iocmd)); 866 _IOC_SIZE (iocmd));
867#endif 867#endif
868 iolen = _IOC_SIZE (iocmd); 868 iolen = _IOC_SIZE (iocmd);
869 if (iolen > sizeof(arg))
870 return -EFAULT;
869 data = ifr->ifr_data + sizeof (iocmd); 871 data = ifr->ifr_data + sizeof (iocmd);
870 if (copy_from_user (&arg, data, iolen)) 872 if (copy_from_user (&arg, data, iolen))
871 return -EFAULT; 873 return -EFAULT;