Staging: bcm: copying more data than intended

This was changed to bcm_flash2x_cs_info instead of bcm_flash_cs_info when we got rid of the typedefs. bcm_flash2x_cs_info is quite a bit larger than bcm_flash_cs_info (436 bytes instead of 96) so it would corrupt user memory and it's an info leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Staging: bcm: copying more data than intended
This was changed to bcm_flash2x_cs_info instead of bcm_flash_cs_info when we got rid of the typedefs. bcm_flash2x_cs_info is quite a bit larger than bcm_flash_cs_info (436 bytes instead of 96) so it would corrupt user memory and it's an info leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
cb9cc9ca · Dan Carpenter · Greg Kroah-Hartman · b3d07cf5 · cb9cc9ca
Commit cb9cc9ca authored Jan 09, 2013 by Dan Carpenter Committed by Greg Kroah-Hartman Jan 17, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/staging/bcm/Bcmchar.c drivers/staging/bcm/Bcmchar.c +1 -1

No files found.
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1792,7 +1792,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 			if (IoBuffer.OutputLength < sizeof(struct bcm_flash_cs_info))
 				return -EINVAL;

-			if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(struct bcm_flash2x_cs_info)))
+			if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(struct bcm_flash_cs_info)))
 				return -EFAULT;
 		}
 	}