[PATCH] Staging: bcm: Fix information leak in ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE
Dan Carpenter
dan.carpenter at oracle.com
Sat Nov 5 18:44:48 UTC 2011
Hi Kevin,
Thanks for your work on this. Your patch looks good. I hestitate to
ask this given that you've redone this patch several times already...
But...
On Sat, Nov 05, 2011 at 01:52:43PM -0400, Kevin McKinney wrote:
> @@ -318,11 +322,15 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
> }
>
> uiTempVar = sRdmBuffer.Register & EEPROM_REJECT_MASK;
> - Status = rdmaltWithLock(Adapter, (UINT)sRdmBuffer.Register, (PUINT)temp_buff, IoBuffer.OutputLength);
> + bytes = rdmaltWithLock(Adapter, (UINT)sRdmBuffer.Register, (PUINT)temp_buff, IoBuffer.OutputLength);
>
> - if (Status == STATUS_SUCCESS)
> + if (bytes > 0) {
> + Status = STATUS_SUCCESS;
> if (copy_to_user(IoBuffer.OutputBuffer, temp_buff, IoBuffer.OutputLength))
^^^^^^^^^^^^^^^^^^^^^
This looks like another info leak the same as the one in
IOCTL_BCM_REGISTER_READ_PRIVATE. Could you change
"IoBuffer.OutputLength" to "bytes" here?
> Status = -EFAULT;
> + } else {
> + Status = bytes;
> + }
When you've made that change can you resend with a:
Reviewed-by: Dan Carpenter <dan.carpenter at oracle.com>
regards,
dan carpenter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://driverdev.linuxdriverproject.org/pipermail/driverdev-devel/attachments/20111105/2fd459d7/attachment.asc>
More information about the devel
mailing list