All of lore.kernel.org
 help / color / mirror / Atom feed
* [patch 1/2] staging/bcm: two information leaks in ioctl
@ 2014-02-17 19:56 Dan Carpenter
  2014-02-17 19:59 ` Dave Jones
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-02-17 19:56 UTC (permalink / raw)
  To: kernel-janitors

There are a couple paths where we don't check how much data we copy back
to the user.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index fdebc3bba0b5..6f1997dc44c8 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -590,6 +590,8 @@ static int bcm_char_ioctl_gpio_multi_request(void __user *argp, struct bcm_mini_
 
 	if (IoBuffer.InputLength > sizeof(gpio_multi_info))
 		return -EINVAL;
+	if (IoBuffer.OutputLength > sizeof(gpio_multi_info))
+		IoBuffer.OutputLength = sizeof(gpio_multi_info);
 
 	if (copy_from_user(&gpio_multi_info, IoBuffer.InputBuffer, IoBuffer.InputLength))
 		return -EFAULT;
@@ -680,6 +682,8 @@ static int bcm_char_ioctl_gpio_mode_request(void __user *argp, struct bcm_mini_a
 
 	if (IoBuffer.InputLength > sizeof(gpio_multi_mode))
 		return -EINVAL;
+	if (IoBuffer.OutputLength > sizeof(gpio_multi_mode))
+		IoBuffer.OutputLength = sizeof(gpio_multi_mode);
 
 	if (copy_from_user(&gpio_multi_mode, IoBuffer.InputBuffer, IoBuffer.InputLength))
 		return -EFAULT;

^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-02-17 20:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
2014-02-17 19:59 ` Dave Jones
2014-02-17 20:13 ` Dan Carpenter
2014-02-17 20:23 ` Dave Jones

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.