Skip to content

Commit

Permalink
staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()
Browse files Browse the repository at this point in the history 
The function c4_ioctl() writes data from user in ifr->ifr_data
to the kernel struct data arg, without any iolen bounds checking.
This can lead to a arbitrary write outside of the struct data arg.
Corrected by adding bounds-checking of iolen before the copy_from_user().

Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Salva Peiró authored and Greg Kroah-Hartman committed Mar 5, 2014
1 parent 0414855 commit 084b6e7
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions drivers/staging/cxt1e1/linux.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd)
_IOC_SIZE (iocmd));
#endif
iolen = _IOC_SIZE (iocmd);
if (iolen > sizeof(arg))
return -EFAULT;
data = ifr->ifr_data + sizeof (iocmd);
if (copy_from_user (&arg, data, iolen))
return -EFAULT;
Expand Down

0 comments on commit 084b6e7

Please sign in to comment.