Staging: bcm: Clean up code in ioctl: IOCTL_BCM_EEPROM_REGISTER_READ

This patch verifies two conditions before executing a kmalloc call. First, it checks to see that IoBuffer.OutputLength is not greater than an unsigned short. If so, an invalid value may be returned. The second change is a check to make sure IoBuffer.OutputLength is not equal to zero. Which simply keeps this code inline with the other ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Staging: bcm: Clean up code in ioctl: IOCTL_BCM_EEPROM_REGISTER_READ
This patch verifies two conditions before executing a kmalloc call. First, it checks to see that IoBuffer.OutputLength is not greater than an unsigned short. If so, an invalid value may be returned. The second change is a check to make sure IoBuffer.OutputLength is not equal to zero. Which simply keeps this code inline with the other ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
51935d22 · Kevin McKinney · Greg Kroah-Hartman · 41c7b7c0 · 51935d22
Commit 51935d22 authored Nov 08, 2011 by Kevin McKinney Committed by Greg Kroah-Hartman Nov 26, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

drivers/staging/bcm/Bcmchar.c drivers/staging/bcm/Bcmchar.c +5 -1

No files found.
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -306,7 +306,11 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 		if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
 			return -EFAULT;

-		/* FIXME: don't trust user supplied length */
+		if (IoBuffer.OutputLength > USHRT_MAX ||
+			IoBuffer.OutputLength == 0) {
+			return -EINVAL;
+		}
+
 		temp_buff = kmalloc(IoBuffer.OutputLength, GFP_KERNEL);
 		if (!temp_buff)
 			return STATUS_FAILURE;