* [patch] i2o: check copy_from_user() size parameter
@ 2013-03-01 5:21 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2013-03-01 5:21 UTC (permalink / raw)
To: Andrew Morton
Cc: Jiri Kosina, Masanari Iida, Alan Cox, linux-kernel,
kernel-janitors
Limit the size of the copy so we don't corrupt memory. Hopefully
this can only be called by root, but fixing this makes the static
checkers happier.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
index 5451bef..a60c188 100644
--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c
@@ -687,6 +687,11 @@ static int i2o_cfg_passthru32(struct file *file, unsigned cmnd,
}
size = size >> 16;
size *= 4;
+ if (size > sizeof(rmsg)) {
+ rcode = -EINVAL;
+ goto sg_list_cleanup;
+ }
+
/* Copy in the user's I2O command */
if (copy_from_user(rmsg, user_msg, size)) {
rcode = -EFAULT;
@@ -922,6 +927,11 @@ static int i2o_cfg_passthru(unsigned long arg)
}
size = size >> 16;
size *= 4;
+ if (size > sizeof(rmsg)) {
+ rcode = -EFAULT;
+ goto sg_list_cleanup;
+ }
+
/* Copy in the user's I2O command */
if (copy_from_user(rmsg, user_msg, size)) {
rcode = -EFAULT;
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-03-01 5:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-03-01 5:21 [patch] i2o: check copy_from_user() size parameter Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox