[patch 1/2] Staging: silicom: add some range checks to proc functions
Dan Carpenter
dan.carpenter at oracle.com
Fri Sep 14 06:56:00 UTC 2012
If you tried to cat more than 255 characters (the last character is for
the terminator) to these proc files then it would corrupt kernel memory.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/drivers/staging/silicom/bp_mod.c b/drivers/staging/silicom/bp_mod.c
index 6e999c7..1b3f5e7 100644
--- a/drivers/staging/silicom/bp_mod.c
+++ b/drivers/staging/silicom/bp_mod.c
@@ -8227,6 +8227,9 @@ set_dis_bypass_pfs(struct file *file, const char *buffer,
int bypass_param = 0, length = 0;
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+
if (copy_from_user(&kbuf, buffer, count)) {
return -1;
}
@@ -8256,6 +8259,9 @@ set_dis_tap_pfs(struct file *file, const char *buffer,
int tap_param = 0, length = 0;
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+
if (copy_from_user(&kbuf, buffer, count)) {
return -1;
}
@@ -8285,6 +8291,9 @@ set_dis_disc_pfs(struct file *file, const char *buffer,
int tap_param = 0, length = 0;
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+
if (copy_from_user(&kbuf, buffer, count)) {
return -1;
}
@@ -8374,6 +8383,9 @@ set_bypass_pwup_pfs(struct file *file, const char *buffer,
int bypass_param = 0, length = 0;
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+
if (copy_from_user(&kbuf, buffer, count)) {
return -1;
}
@@ -8403,6 +8415,9 @@ set_bypass_pwoff_pfs(struct file *file, const char *buffer,
int bypass_param = 0, length = 0;
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+
if (copy_from_user(&kbuf, buffer, count)) {
return -1;
}
@@ -8432,6 +8447,9 @@ set_tap_pwup_pfs(struct file *file, const char *buffer,
int tap_param = 0, length = 0;
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+
if (copy_from_user(&kbuf, buffer, count)) {
return -1;
}
@@ -8461,6 +8479,9 @@ set_disc_pwup_pfs(struct file *file, const char *buffer,
int tap_param = 0, length = 0;
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+
if (copy_from_user(&kbuf, buffer, count)) {
return -1;
}
@@ -8570,6 +8591,9 @@ set_std_nic_pfs(struct file *file, const char *buffer,
int bypass_param = 0, length = 0;
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+
if (copy_from_user(&kbuf, buffer, count)) {
return -1;
}
More information about the devel
mailing list