summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Cox <alan@linux.intel.com>2012-07-30 23:41:30 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2012-07-31 02:25:17 +0200
commit261eba73353edd48b0c0cb7aad59553dfc712ebc (patch)
tree0bc64028f987e7777ed5002f0b4debf4422c28ad
parentdrivers/message/i2o/i2o_proc.c: the pointer returned from chtostr() points to... (diff)
downloadlinux-261eba73353edd48b0c0cb7aad59553dfc712ebc.tar.xz
linux-261eba73353edd48b0c0cb7aad59553dfc712ebc.zip
drivers/message/i2o/i2o_config.c: bound allocation
Fix a case where users can try to allocate arbitarily large amounts of memory. 64K is overkill for a config request so apply an upper bound. Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/message/i2o/i2o_config.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
index 098de2b35784..9a49c243a6ac 100644
--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c
@@ -188,6 +188,13 @@ static int i2o_cfg_parms(unsigned long arg, unsigned int type)
if (!dev)
return -ENXIO;
+ /*
+ * Stop users being able to try and allocate arbitary amounts
+ * of DMA space. 64K is way more than sufficient for this.
+ */
+ if (kcmd.oplen > 65536)
+ return -EMSGSIZE;
+
ops = memdup_user(kcmd.opbuf, kcmd.oplen);
if (IS_ERR(ops))
return PTR_ERR(ops);