[PATCH] Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION

Kevin McKinney klmckinney1 at gmail.com
Wed Dec 14 13:21:11 UTC 2011


Hi Dan,

On Wed, Dec 14, 2011 at 1:06 AM, Dan Carpenter <dan.carpenter at oracle.com> wrote:
> On Tue, Dec 13, 2011 at 07:27:32PM -0500, Kevin McKinney wrote:
>> This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is
>> responsible for sending the driver version
>> to userspace. However, the requested size stored
>> in IoBuffer.OutputLength may be incorrect.
>> Therefore, we altered the code to send the
>> exact length of the version, plus one for the
>> null character.
>>
>> Signed-off-by: Kevin McKinney <klmckinney1 at gmail.com>
>> ---
>>  drivers/staging/bcm/Bcmchar.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
>> index c4d7a61..96945bb 100644
>> --- a/drivers/staging/bcm/Bcmchar.c
>> +++ b/drivers/staging/bcm/Bcmchar.c
>> @@ -1003,7 +1003,7 @@ cntrlEnd:
>>               if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
>>                       return -EFAULT;
>>
>> -             if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
>> +             if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, strlen(VER_FILEVERSION_STR)+1))
>
> You should still take into consideration what the user passed as
> IoBuffer.OutputLength.  Something like:
>
>        len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
>        if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len);
>
Good point.  I will resubmit this patch.

Thanks,
Kevin



More information about the devel mailing list