diff options
author | dann frazier <dannf@hp.com> | 2007-05-08 03:31:39 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-05-08 14:15:14 -0400 |
commit | a2f72982e22b96862f8f15272732bd316d4db040 (patch) | |
tree | 31877f6700c05e23dfdb504f3673874584d19f9c /drivers | |
parent | 83ae1b79c898838e16ac8cde69b39d22d36fb035 (diff) |
old buffer overflow in moxa driver
I noticed that the moxa input checking security bug described by
CVE-2005-0504 appears to remain unfixed upstream.
The issue is described here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504
Debian has been shipping the following patch from Andres Salomon.
(akpm: it's a privileged operation)
Signed-off-by: dann frazier <dannf@hp.com>
Signed-off-by: Andres Salomon <dilinger@debian.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/char/moxa.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/char/moxa.c b/drivers/char/moxa.c index 7dbaee8d9402..e0d35c20c04f 100644 --- a/drivers/char/moxa.c +++ b/drivers/char/moxa.c | |||
@@ -1582,7 +1582,7 @@ copy: | |||
1582 | 1582 | ||
1583 | if(copy_from_user(&dltmp, argp, sizeof(struct dl_str))) | 1583 | if(copy_from_user(&dltmp, argp, sizeof(struct dl_str))) |
1584 | return -EFAULT; | 1584 | return -EFAULT; |
1585 | if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS) | 1585 | if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0) |
1586 | return -EINVAL; | 1586 | return -EINVAL; |
1587 | 1587 | ||
1588 | switch(cmd) | 1588 | switch(cmd) |
@@ -2529,6 +2529,8 @@ static int moxaloadbios(int cardno, unsigned char __user *tmp, int len) | |||
2529 | void __iomem *baseAddr; | 2529 | void __iomem *baseAddr; |
2530 | int i; | 2530 | int i; |
2531 | 2531 | ||
2532 | if(len < 0 || len > sizeof(moxaBuff)) | ||
2533 | return -EINVAL; | ||
2532 | if(copy_from_user(moxaBuff, tmp, len)) | 2534 | if(copy_from_user(moxaBuff, tmp, len)) |
2533 | return -EFAULT; | 2535 | return -EFAULT; |
2534 | baseAddr = moxa_boards[cardno].basemem; | 2536 | baseAddr = moxa_boards[cardno].basemem; |
@@ -2576,7 +2578,7 @@ static int moxaload320b(int cardno, unsigned char __user *tmp, int len) | |||
2576 | void __iomem *baseAddr; | 2578 | void __iomem *baseAddr; |
2577 | int i; | 2579 | int i; |
2578 | 2580 | ||
2579 | if(len > sizeof(moxaBuff)) | 2581 | if(len < 0 || len > sizeof(moxaBuff)) |
2580 | return -EINVAL; | 2582 | return -EINVAL; |
2581 | if(copy_from_user(moxaBuff, tmp, len)) | 2583 | if(copy_from_user(moxaBuff, tmp, len)) |
2582 | return -EFAULT; | 2584 | return -EFAULT; |
@@ -2596,6 +2598,8 @@ static int moxaloadcode(int cardno, unsigned char __user *tmp, int len) | |||
2596 | void __iomem *baseAddr, *ofsAddr; | 2598 | void __iomem *baseAddr, *ofsAddr; |
2597 | int retval, port, i; | 2599 | int retval, port, i; |
2598 | 2600 | ||
2601 | if(len < 0 || len > sizeof(moxaBuff)) | ||
2602 | return -EINVAL; | ||
2599 | if(copy_from_user(moxaBuff, tmp, len)) | 2603 | if(copy_from_user(moxaBuff, tmp, len)) |
2600 | return -EFAULT; | 2604 | return -EFAULT; |
2601 | baseAddr = moxa_boards[cardno].basemem; | 2605 | baseAddr = moxa_boards[cardno].basemem; |