diff options
author | Salva Peiró <speiro@ai2.upv.es> | 2014-03-03 02:44:04 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-03-04 19:20:01 -0500 |
commit | 084b6e7765b9554699afa23a50e702a3d0ae4b24 (patch) | |
tree | 50efbe4843bc48fd5220b6f02ff1add272431a7e | |
parent | 0414855fdc4a40da05221fc6062cccbc0c30f169 (diff) |
staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()
The function c4_ioctl() writes data from user in ifr->ifr_data
to the kernel struct data arg, without any iolen bounds checking.
This can lead to a arbitrary write outside of the struct data arg.
Corrected by adding bounds-checking of iolen before the copy_from_user().
Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/staging/cxt1e1/linux.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c index 4a08e16e42f7..79206cb3fb94 100644 --- a/drivers/staging/cxt1e1/linux.c +++ b/drivers/staging/cxt1e1/linux.c | |||
@@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd) | |||
866 | _IOC_SIZE (iocmd)); | 866 | _IOC_SIZE (iocmd)); |
867 | #endif | 867 | #endif |
868 | iolen = _IOC_SIZE (iocmd); | 868 | iolen = _IOC_SIZE (iocmd); |
869 | if (iolen > sizeof(arg)) | ||
870 | return -EFAULT; | ||
869 | data = ifr->ifr_data + sizeof (iocmd); | 871 | data = ifr->ifr_data + sizeof (iocmd); |
870 | if (copy_from_user (&arg, data, iolen)) | 872 | if (copy_from_user (&arg, data, iolen)) |
871 | return -EFAULT; | 873 | return -EFAULT; |