Commit 084b6e77 authored by Salva Peiró's avatar Salva Peiró Committed by Greg Kroah-Hartman

staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()

The function c4_ioctl() writes data from user in ifr->ifr_data
to the kernel struct data arg, without any iolen bounds checking.
This can lead to a arbitrary write outside of the struct data arg.
Corrected by adding bounds-checking of iolen before the copy_from_user().
Signed-off-by: default avatarSalva Peiró <speiro@ai2.upv.es>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0414855f
...@@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd) ...@@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd)
_IOC_SIZE (iocmd)); _IOC_SIZE (iocmd));
#endif #endif
iolen = _IOC_SIZE (iocmd); iolen = _IOC_SIZE (iocmd);
if (iolen > sizeof(arg))
return -EFAULT;
data = ifr->ifr_data + sizeof (iocmd); data = ifr->ifr_data + sizeof (iocmd);
if (copy_from_user (&arg, data, iolen)) if (copy_from_user (&arg, data, iolen))
return -EFAULT; return -EFAULT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment