summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-03-10 02:58:27 +0100
committerLinus Torvalds <torvalds@linux-foundation.org>2014-03-10 02:58:27 +0100
commita491ce72f8610c4a675baa45f5572886a2436959 (patch)
treee23adf579497972d30799609ac05750a43a1011d
parentKEYS: Make the keyring cycle detector ignore other keyrings of the same name (diff)
parentstaging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl() (diff)
downloadlinux-a491ce72f8610c4a675baa45f5572886a2436959.tar.xz
linux-a491ce72f8610c4a675baa45f5572886a2436959.zip
Merge tag 'staging-3.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver tree fix from Greg KH: "Here is a single staging driver fix for your tree. It resolves an issue with arbritary writes to memory if a specific driver is loaded" * tag 'staging-3.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()
-rw-r--r--drivers/staging/cxt1e1/linux.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c
index 4a08e16e42f7..79206cb3fb94 100644
--- a/drivers/staging/cxt1e1/linux.c
+++ b/drivers/staging/cxt1e1/linux.c
@@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd)
_IOC_SIZE (iocmd));
#endif
iolen = _IOC_SIZE (iocmd);
+ if (iolen > sizeof(arg))
+ return -EFAULT;
data = ifr->ifr_data + sizeof (iocmd);
if (copy_from_user (&arg, data, iolen))
return -EFAULT;