Staging: bcm: Clean up code in ioctl: IOCTL_BCM_EEPROM_REGISTER_READ · 51935d2259 - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

Staging: bcm: Clean up code in ioctl: IOCTL_BCM_EEPROM_REGISTER_READ

This patch verifies two conditions before executing
a kmalloc call. First, it checks to see that
IoBuffer.OutputLength is not greater than an
unsigned short. If so, an invalid value may be
returned. The second change is a check to make
sure IoBuffer.OutputLength is not equal to
zero. Which simply keeps this code inline with
the other ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

This commit is contained in:

Kevin McKinney

2011-11-08 22:33:35 -05:00

• committed by

Greg Kroah-Hartman

parent 41c7b7c0fa

commit 51935d2259

1 changed files with 5 additions and 1 deletions

									
										6

drivers/staging/bcm/Bcmchar.c
									
										View file
										
				@ -306,7 +306,11 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)

						if (copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))

							return -EFAULT;

						/* FIXME: don't trust user supplied length */

						if (IoBuffer.OutputLength > USHRT_MAX ||

							IoBuffer.OutputLength == 0) {

							return -EINVAL;

						}

						temp_buff = kmalloc(IoBuffer.OutputLength, GFP_KERNEL);

						if (!temp_buff)

							return STATUS_FAILURE;