]> git.baikalelectronics.ru Git - kernel.git/commit
cw1200: Sanity-check arguments in copy_from_user()
authorSolomon Peachy <pizza@shaftnet.org>
Wed, 5 Jun 2013 03:37:05 +0000 (23:37 -0400)
committerJohn W. Linville <linville@tuxdriver.com>
Mon, 10 Jun 2013 18:41:25 +0000 (14:41 -0400)
commit5a6642400d2ec4e93c1d9d2c037c500ac3ad841d
tree4fd3cb8439a8efc71e4b768257dbaea6f8dddbec
parentb0e3b9c84659108a301593cf41bc6d3a8a6c1f0a
cw1200: Sanity-check arguments in copy_from_user()

The optional debugfs interface to the vendor's engineering tools wasn't
bounds checking at all, which made it trivial to perform a buffer
overflow if this interface was compiled in and then explicitly enabled
at runtime.

This patch checks both the length supplied as part of the data to ensure
it is sane, and also the amount of data compared to the remaining buffer
space.  If either is too large, fail immediately.

(This bug was spotted by Dan Carpenter <dan.carpenter@oracle.com>)

Signed-off-by: Solomon Peachy <pizza@shaftnet.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/cw1200/debug.c