[PATCH 3/3] Staging: bcm: Add min/max restrictions for IOCTL_BCM_REGISTER_READ_PRIVATE.
Joe Perches
joe at perches.com
Mon Sep 26 16:00:48 UTC 2011
On Sun, 2011-09-25 at 21:15 -0400, Kevin McKinney wrote:
> This patch fixes two issues within bcm/Bcmchar.c.
[]
> diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
[]
> @@ -216,7 +216,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
> if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
> return -EFAULT;
>
> - /* FIXME: need to restrict BuffLen */
> + if (IoBuffer.OutputLength == 0)
> + return -EINVAL;
> +
> + if (IoBuffer.OutputLength > USHRT_MAX)
> + return -EINVAL;
It's reasonable and shorter to combine these tests.
if (IoBuffer.OutputLength == 0 ||
IoBuffer.OutputLength > USHRT_MAX)
return -EINVAL;
> +
> Bufflen = IoBuffer.OutputLength + (4 - IoBuffer.OutputLength%4)%4;
Not your issue, but because it's near the patched bits:
Because of the two modulos, this is not straightforward.
Perhaps a temporary helps.
Bufflen = IoBuffer.OutputLength;
u16 extra = Bufflen % 4;
if (extra)
Bufflen += 4 - extra;
> temp_buff = kmalloc(Bufflen, GFP_KERNEL);
> if (!temp_buff)
More information about the devel
mailing list