Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION

This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is responsible for sending the driver version to userspace. However, the requested size stored in IoBuffer.OutputLength may be incorrect. Therefore, we altered the code to send the exact length of the version, plus one for the null character. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION
This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is responsible for sending the driver version to userspace. However, the requested size stored in IoBuffer.OutputLength may be incorrect. Therefore, we altered the code to send the exact length of the version, plus one for the null character. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
b72a7c85 · Kevin McKinney · Greg Kroah-Hartman · d1840eda · b72a7c85
Commit b72a7c85 authored Dec 14, 2011 by Kevin McKinney Committed by Greg Kroah-Hartman Dec 22, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

drivers/staging/bcm/Bcmchar.c drivers/staging/bcm/Bcmchar.c +5 -1

No files found.
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -999,11 +999,15 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 	}

 	case IOCTL_BCM_GET_DRIVER_VERSION: {
+		ulong len;
+
 		/* Copy Ioctl Buffer structure */
 		if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
 			return -EFAULT;

-		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
+		len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
+
+		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len))
 			return -EFAULT;
 		Status = STATUS_SUCCESS;
 		break;