[patch 1/2] Staging: silicom: add some range checks to proc functions

Dan Carpenter dan.carpenter at oracle.com
Fri Sep 14 06:56:00 UTC 2012


If you tried to cat more than 255 characters (the last character is for
the terminator) to these proc files then it would corrupt kernel memory.

Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>

diff --git a/drivers/staging/silicom/bp_mod.c b/drivers/staging/silicom/bp_mod.c
index 6e999c7..1b3f5e7 100644
--- a/drivers/staging/silicom/bp_mod.c
+++ b/drivers/staging/silicom/bp_mod.c
@@ -8227,6 +8227,9 @@ set_dis_bypass_pfs(struct file *file, const char *buffer,
 
 	int bypass_param = 0, length = 0;
 
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+
 	if (copy_from_user(&kbuf, buffer, count)) {
 		return -1;
 	}
@@ -8256,6 +8259,9 @@ set_dis_tap_pfs(struct file *file, const char *buffer,
 
 	int tap_param = 0, length = 0;
 
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+
 	if (copy_from_user(&kbuf, buffer, count)) {
 		return -1;
 	}
@@ -8285,6 +8291,9 @@ set_dis_disc_pfs(struct file *file, const char *buffer,
 
 	int tap_param = 0, length = 0;
 
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+
 	if (copy_from_user(&kbuf, buffer, count)) {
 		return -1;
 	}
@@ -8374,6 +8383,9 @@ set_bypass_pwup_pfs(struct file *file, const char *buffer,
 
 	int bypass_param = 0, length = 0;
 
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+
 	if (copy_from_user(&kbuf, buffer, count)) {
 		return -1;
 	}
@@ -8403,6 +8415,9 @@ set_bypass_pwoff_pfs(struct file *file, const char *buffer,
 
 	int bypass_param = 0, length = 0;
 
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+
 	if (copy_from_user(&kbuf, buffer, count)) {
 		return -1;
 	}
@@ -8432,6 +8447,9 @@ set_tap_pwup_pfs(struct file *file, const char *buffer,
 
 	int tap_param = 0, length = 0;
 
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+
 	if (copy_from_user(&kbuf, buffer, count)) {
 		return -1;
 	}
@@ -8461,6 +8479,9 @@ set_disc_pwup_pfs(struct file *file, const char *buffer,
 
 	int tap_param = 0, length = 0;
 
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+
 	if (copy_from_user(&kbuf, buffer, count)) {
 		return -1;
 	}
@@ -8570,6 +8591,9 @@ set_std_nic_pfs(struct file *file, const char *buffer,
 
 	int bypass_param = 0, length = 0;
 
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+
 	if (copy_from_user(&kbuf, buffer, count)) {
 		return -1;
 	}



More information about the devel mailing list