staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()

The function c4_ioctl() writes data from user in ifr->ifr_data to the kernel struct data arg, without any iolen bounds checking. This can lead to a arbitrary write outside of the struct data arg. Corrected by adding bounds-checking of iolen before the copy_from_user(). Signed-off-by: Salva Peiró <speiro@ai2.upv.es> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()
The function c4_ioctl() writes data from user in ifr->ifr_data to the kernel struct data arg, without any iolen bounds checking. This can lead to a arbitrary write outside of the struct data arg. Corrected by adding bounds-checking of iolen before the copy_from_user(). Signed-off-by: Salva Peiró <speiro@ai2.upv.es> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
084b6e77 · Salva Peiró · Greg Kroah-Hartman · 0414855f · 084b6e77
Commit 084b6e77 authored Mar 03, 2014 by Salva Peiró Committed by Greg Kroah-Hartman Mar 04, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

drivers/staging/cxt1e1/linux.c drivers/staging/cxt1e1/linux.c +2 -0

No files found.
--- a/drivers/staging/cxt1e1/linux.c
+++ b/drivers/staging/cxt1e1/linux.c
@@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd)
            _IOC_SIZE (iocmd));
 #endif
    iolen = _IOC_SIZE (iocmd);
+    if (iolen > sizeof(arg))
+        return -EFAULT;
    data = ifr->ifr_data + sizeof (iocmd);
    if (copy_from_user (&arg, data, iolen))
        return -EFAULT;