[PATCH] Staging: bcm: Clean up code in ioctl: IOCTL_BCM_EEPROM_REGISTER_READ

Kevin McKinney klmckinney1 at gmail.com
Wed Nov 9 03:33:35 UTC 2011


This patch verifies two conditions before executing
a kmalloc call. First, it checks to see that
IoBuffer.OutputLength is not greater than an
unsigned short. If so, an invalid value may be
returned. The second change is a check to make
sure IoBuffer.OutputLength is not equal to
zero. Which simply keeps this code inline with
the other ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE.

Signed-off-by: Kevin McKinney <klmckinney1 at gmail.com>
---
 drivers/staging/bcm/Bcmchar.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index e110d0e..7cffbdd 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -306,7 +306,11 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 		if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
 			return -EFAULT;
 
-		/* FIXME: don't trust user supplied length */
+		if (IoBuffer.OutputLength > USHRT_MAX ||
+			IoBuffer.OutputLength == 0) {
+			return -EINVAL;
+		}
+
 		temp_buff = kmalloc(IoBuffer.OutputLength, GFP_KERNEL);
 		if (!temp_buff)
 			return STATUS_FAILURE;
-- 
1.7.4.1




More information about the devel mailing list