[PATCH] Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION
Kevin McKinney
klmckinney1 at gmail.com
Wed Dec 14 13:21:11 UTC 2011
Hi Dan,
On Wed, Dec 14, 2011 at 1:06 AM, Dan Carpenter <dan.carpenter at oracle.com> wrote:
> On Tue, Dec 13, 2011 at 07:27:32PM -0500, Kevin McKinney wrote:
>> This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is
>> responsible for sending the driver version
>> to userspace. However, the requested size stored
>> in IoBuffer.OutputLength may be incorrect.
>> Therefore, we altered the code to send the
>> exact length of the version, plus one for the
>> null character.
>>
>> Signed-off-by: Kevin McKinney <klmckinney1 at gmail.com>
>> ---
>> drivers/staging/bcm/Bcmchar.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
>> index c4d7a61..96945bb 100644
>> --- a/drivers/staging/bcm/Bcmchar.c
>> +++ b/drivers/staging/bcm/Bcmchar.c
>> @@ -1003,7 +1003,7 @@ cntrlEnd:
>> if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
>> return -EFAULT;
>>
>> - if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
>> + if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, strlen(VER_FILEVERSION_STR)+1))
>
> You should still take into consideration what the user passed as
> IoBuffer.OutputLength. Something like:
>
> len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
> if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len);
>
Good point. I will resubmit this patch.
Thanks,
Kevin
More information about the devel
mailing list