iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Staging: sep: potential buffer overflow in ioctl

Browse Source 
tail_size is determined by several variables that come from the user
so we should verify that it's not too large.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Dan Carpenter 2011-10-29 10:20:20 +03:00 committed by Greg Kroah-Hartman
parent 23226977e9
commit 9638b67ba2
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/staging/sep/sep_driver.c
View File

@ -2120,6 +2120,8 @@ static int sep_prepare_input_output_dma_table_in_dcb(struct sep_device *sep,
} }
} }
if (tail_size) { if (tail_size) {
if (tail_size > sizeof(dcb_table_ptr->tail_data))
return -EINVAL;
if (is_kva == true) { if (is_kva == true) {
memcpy(dcb_table_ptr->tail_data, memcpy(dcb_table_ptr->tail_data,
(void *)(app_in_address + data_in_size - (void *)(app_in_address + data_in_size -