1 files changed, 13 insertions, 10 deletions
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 702dcc98c074..14a34d99eea2 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -960,6 +960,8 @@ static int ioctl_queue_iso(struct client *client, union ioctl_arg *arg)
                u.packet.header_length = GET_HEADER_LENGTH(control);
                if (ctx->type == FW_ISO_CONTEXT_TRANSMIT) {
+                        if (u.packet.header_length % 4 != 0)
+                                return -EINVAL;
                        header_length = u.packet.header_length;
                } else {
                        /*
@@ -969,7 +971,8 @@ static int ioctl_queue_iso(struct client *client, union ioctl_arg *arg)
                        if (ctx->header_size == 0) {
                                if (u.packet.header_length > 0)
                                        return -EINVAL;
-                        } else if (u.packet.header_length % ctx->header_size != 0) {
+                        } else if (u.packet.header_length == 0 ||
+                                   u.packet.header_length % ctx->header_size != 0) {
                                return -EINVAL;
                        }
                        header_length = 0;
@@ -1354,24 +1357,24 @@ static int dispatch_ioctl(struct client *client,
                return -ENODEV;
        if (_IOC_TYPE(cmd) != '#' ||
-            _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers))
+            _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers) ||
+            _IOC_SIZE(cmd) > sizeof(buffer))
                return -EINVAL;
-        if (_IOC_DIR(cmd) & _IOC_WRITE) {
+        if (_IOC_DIR(cmd) == _IOC_READ)
-                if (_IOC_SIZE(cmd) > sizeof(buffer) ||
+                memset(&buffer, 0, _IOC_SIZE(cmd));
-                    copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
+        if (_IOC_DIR(cmd) & _IOC_WRITE)
+                if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
                        return -EFAULT;
-        }
        ret = ioctl_handlers[_IOC_NR(cmd)](client, &buffer);
        if (ret < 0)
                return ret;
-        if (_IOC_DIR(cmd) & _IOC_READ) {
+        if (_IOC_DIR(cmd) & _IOC_READ)
-                if (_IOC_SIZE(cmd) > sizeof(buffer) ||
+                if (copy_to_user(arg, &buffer, _IOC_SIZE(cmd)))
-                    copy_to_user(arg, &buffer, _IOC_SIZE(cmd)))
                        return -EFAULT;
-        }
        return ret;
 }

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index 702dcc98c074..14a34d99eea2 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c
@@ -960,6 +960,8 @@ static int ioctl_queue_iso(struct client client, union ioctl_arg arg)
960	u.packet.header_length = GET_HEADER_LENGTH(control);	960	u.packet.header_length = GET_HEADER_LENGTH(control);
961		961
962	if (ctx->type == FW_ISO_CONTEXT_TRANSMIT) {	962	if (ctx->type == FW_ISO_CONTEXT_TRANSMIT) {
		963	if (u.packet.header_length % 4 != 0)
		964	return -EINVAL;
963	header_length = u.packet.header_length;	965	header_length = u.packet.header_length;
964	} else {	966	} else {
965	/*	967	/*
@@ -969,7 +971,8 @@ static int ioctl_queue_iso(struct client client, union ioctl_arg arg)
969	if (ctx->header_size == 0) {	971	if (ctx->header_size == 0) {
970	if (u.packet.header_length > 0)	972	if (u.packet.header_length > 0)
971	return -EINVAL;	973	return -EINVAL;
972	} else if (u.packet.header_length % ctx->header_size != 0) {	974	} else if (u.packet.header_length == 0 \|\|
		975	u.packet.header_length % ctx->header_size != 0) {
973	return -EINVAL;	976	return -EINVAL;
974	}	977	}
975	header_length = 0;	978	header_length = 0;
@@ -1354,24 +1357,24 @@ static int dispatch_ioctl(struct client *client,
1354	return -ENODEV;	1357	return -ENODEV;
1355		1358
1356	if (_IOC_TYPE(cmd) != '#' \|\|	1359	if (_IOC_TYPE(cmd) != '#' \|\|
1357	_IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers))	1360	_IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers) \|\|
		1361	_IOC_SIZE(cmd) > sizeof(buffer))
1358	return -EINVAL;	1362	return -EINVAL;
1359		1363
1360	if (_IOC_DIR(cmd) & _IOC_WRITE) {	1364	if (_IOC_DIR(cmd) == _IOC_READ)
1361	if (_IOC_SIZE(cmd) > sizeof(buffer) \|\|	1365	memset(&buffer, 0, _IOC_SIZE(cmd));
1362	copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))	1366
		1367	if (_IOC_DIR(cmd) & _IOC_WRITE)
		1368	if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
1363	return -EFAULT;	1369	return -EFAULT;
1364	}
1365		1370
1366	ret = ioctl_handlers[_IOC_NR(cmd)](client, &buffer);	1371	ret = ioctl_handlers[_IOC_NR(cmd)](client, &buffer);
1367	if (ret < 0)	1372	if (ret < 0)
1368	return ret;	1373	return ret;
1369		1374
1370	if (_IOC_DIR(cmd) & _IOC_READ) {	1375	if (_IOC_DIR(cmd) & _IOC_READ)
1371	if (_IOC_SIZE(cmd) > sizeof(buffer) \|\|	1376	if (copy_to_user(arg, &buffer, _IOC_SIZE(cmd)))
1372	copy_to_user(arg, &buffer, _IOC_SIZE(cmd)))
1373	return -EFAULT;	1377	return -EFAULT;
1374	}
1375		1378
1376	return ret;	1379	return ret;
1377	}	1380	}