[patch] i2o: check copy_from_user() size parameter

From: Dan Carpenter
Date: Fri Mar 01 2013 - 00:24:06 EST

Next message: tip-bot for gmail: "[tip:x86/cleanups] x86_64: Use __BOOT_DS instead_of __KERNEL_DS for safety"
Previous message: R, Durgadoss: "RE: [PATCHv3 0/8] Thermal Framework Enhancements"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Limit the size of the copy so we don't corrupt memory. Hopefully
this can only be called by root, but fixing this makes the static
checkers happier.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
index 5451bef..a60c188 100644
--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c
@@ -687,6 +687,11 @@ static int i2o_cfg_passthru32(struct file *file, unsigned cmnd,
}
size = size >> 16;
size *= 4;
+ if (size > sizeof(rmsg)) {
+ rcode = -EINVAL;
+ goto sg_list_cleanup;
+ }
+
/* Copy in the user's I2O command */
if (copy_from_user(rmsg, user_msg, size)) {
rcode = -EFAULT;
@@ -922,6 +927,11 @@ static int i2o_cfg_passthru(unsigned long arg)
}
size = size >> 16;
size *= 4;
+ if (size > sizeof(rmsg)) {
+ rcode = -EFAULT;
+ goto sg_list_cleanup;
+ }
+
/* Copy in the user's I2O command */
if (copy_from_user(rmsg, user_msg, size)) {
rcode = -EFAULT;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: tip-bot for gmail: "[tip:x86/cleanups] x86_64: Use __BOOT_DS instead_of __KERNEL_DS for safety"
Previous message: R, Durgadoss: "RE: [PATCHv3 0/8] Thermal Framework Enhancements"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]