old buffer overflow in moxa driver

I noticed that the moxa input checking security bug described by CVE-2005-0504 appears to remain unfixed upstream. The issue is described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504 Debian has been shipping the following patch from Andres Salomon. (akpm: it's a privileged operation) Signed-off-by: N dann frazier <dannf@hp.com> Signed-off-by: N Andres Salomon <dilinger@debian.org> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

old buffer overflow in moxa driver
I noticed that the moxa input checking security bug described by CVE-2005-0504 appears to remain unfixed upstream. The issue is described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504 Debian has been shipping the following patch from Andres Salomon. (akpm: it's a privileged operation) Signed-off-by: N dann frazier <dannf@hp.com> Signed-off-by: N Andres Salomon <dilinger@debian.org> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
a2f72982 · dann frazier · Linus Torvalds · 83ae1b79 · a2f72982
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

drivers/char/moxa.c drivers/char/moxa.c +6 -2

未找到文件。
--- a/drivers/char/moxa.c
+++ b/drivers/char/moxa.c
@@ -1582,7 +1582,7 @@ int MoxaDriverIoctl(unsigned int cmd, unsigned long arg, int port)

 	if(copy_from_user(&dltmp, argp, sizeof(struct dl_str)))
 		return -EFAULT;
-	if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS)
+	if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0)
 		return -EINVAL;

 	switch(cmd)
@@ -2529,6 +2529,8 @@ static int moxaloadbios(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr;
 	int i;

+	if(len < 0 || len > sizeof(moxaBuff))
+		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
 	baseAddr = moxa_boards[cardno].basemem;
@@ -2576,7 +2578,7 @@ static int moxaload320b(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr;
 	int i;

-	if(len > sizeof(moxaBuff))
+	if(len < 0 || len > sizeof(moxaBuff))
 		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
@@ -2596,6 +2598,8 @@ static int moxaloadcode(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr, *ofsAddr;
 	int retval, port, i;

+	if(len < 0 || len > sizeof(moxaBuff))
+		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
 	baseAddr = moxa_boards[cardno].basemem;