Staging: bcm: Add min/max restrictions for IOCTL_BCM_REGISTER_READ_PR…

…IVATE This patch fixes two issues within bcm/Bcmchar.c. The first condition in the or statement checks if variable IoBuffer.OutputLength, defined from user space, is greater than the maximum value allowed for an unsigned short. IoBuffer.OutputLength is then used in a kmalloc call to return a pointer to memory. If this size is greater than an unsigned short, it becomes useless. The second condition in the or statement checks if the same variable, IoBuffer.OutputLength is equal to zero before invoking the kmalloc call. In this case, if a zero size is sent to kmalloc, a valid pointer to memory is returned instead of the expected NULL. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
git-mirror · Sep 30, 2011 · 0a2cc49 · 0a2cc49
1 parent d515d0f
commit 0a2cc49
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
@@ -216,7 +216,11 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 		if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
 			return -EFAULT;
 
-		/* FIXME: need to restrict BuffLen */
+		if (IoBuffer.OutputLength > USHRT_MAX ||
+			IoBuffer.OutputLength == 0) {
+			return -EINVAL;
+		}
+
 		Bufflen = IoBuffer.OutputLength + (4 - IoBuffer.OutputLength%4)%4;
 		temp_buff = kmalloc(Bufflen, GFP_KERNEL);
 		if (!temp_buff)