Skip to content

Commit

Permalink
i2o: check copy_from_user() size parameter
Browse files Browse the repository at this point in the history
Limit the size of the copy so we don't corrupt memory.  Hopefully this
can only be called by root, but fixing this makes the static checkers
happier.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Masanari Iida <standby24x7@gmail.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  • Loading branch information
Dan Carpenter authored and Linus Torvalds committed May 1, 2013
1 parent 79bae42 commit 9151b39
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions drivers/message/i2o/i2o_config.c
Original file line number Diff line number Diff line change
@@ -687,6 +687,11 @@ static int i2o_cfg_passthru32(struct file *file, unsigned cmnd,
}
size = size >> 16;
size *= 4;
if (size > sizeof(rmsg)) {
rcode = -EINVAL;
goto sg_list_cleanup;
}

/* Copy in the user's I2O command */
if (copy_from_user(rmsg, user_msg, size)) {
rcode = -EFAULT;
@@ -922,6 +927,11 @@ static int i2o_cfg_passthru(unsigned long arg)
}
size = size >> 16;
size *= 4;
if (size > sizeof(rmsg)) {
rcode = -EFAULT;
goto sg_list_cleanup;
}

/* Copy in the user's I2O command */
if (copy_from_user(rmsg, user_msg, size)) {
rcode = -EFAULT;

0 comments on commit 9151b39

Please sign in to comment.