提交 9151b398 编写于 作者: D Dan Carpenter 提交者: Linus Torvalds

i2o: check copy_from_user() size parameter

Limit the size of the copy so we don't corrupt memory.  Hopefully this
can only be called by root, but fixing this makes the static checkers
happier.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Masanari Iida <standby24x7@gmail.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 79bae42d
......@@ -687,6 +687,11 @@ static int i2o_cfg_passthru32(struct file *file, unsigned cmnd,
}
size = size >> 16;
size *= 4;
if (size > sizeof(rmsg)) {
rcode = -EINVAL;
goto sg_list_cleanup;
}
/* Copy in the user's I2O command */
if (copy_from_user(rmsg, user_msg, size)) {
rcode = -EFAULT;
......@@ -922,6 +927,11 @@ static int i2o_cfg_passthru(unsigned long arg)
}
size = size >> 16;
size *= 4;
if (size > sizeof(rmsg)) {
rcode = -EFAULT;
goto sg_list_cleanup;
}
/* Copy in the user's I2O command */
if (copy_from_user(rmsg, user_msg, size)) {
rcode = -EFAULT;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册