summaryrefslogtreecommitdiffstats
path: root/drivers/firewire
diff options
context:
space:
mode:
authorClemens Ladisch <clemens@ladisch.de>2010-07-07 14:37:30 +0200
committerStefan Richter <stefanr@s5r6.in-berlin.de>2010-07-13 09:47:47 +0200
commita8e93f3dccc066cd6dd1e9db1e35942914fc57d1 (patch)
tree9165f872029ef76e99fd40c0afb6d8c896f8cabc /drivers/firewire
parentfirewire: cdev: fix fw_cdev_event_bus_reset.bm_node_id (diff)
downloadlinux-a8e93f3dccc066cd6dd1e9db1e35942914fc57d1.tar.xz
linux-a8e93f3dccc066cd6dd1e9db1e35942914fc57d1.zip
firewire: cdev: check write quadlet request length to avoid buffer overflow
Check that the data length of a write quadlet request actually is large enough for a quadlet. Otherwise, fw_fill_request could access the four bytes after the end of the outbound_transaction_event structure. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Modification of Clemens' change: Consolidate the check into init_request() which is used by the affected ioctl_send_request() and ioctl_send_broadcast_request() and the unaffected ioctl_send_stream_packet(), to save a few lines of code. Note, since struct outbound_transaction_event *e is slab-allocated, such an out-of-bounds access won't hit unallocated memory but may result in a (virtually impossible to exploit) information disclosure. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers/firewire')
-rw-r--r--drivers/firewire/core-cdev.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index d8ac0ce2d6bf..f7559bfeaba3 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -563,6 +563,10 @@ static int init_request(struct client *client,
(request->length > 4096 || request->length > 512 << speed))
return -EIO;
+ if (request->tcode == TCODE_WRITE_QUADLET_REQUEST &&
+ request->length < 4)
+ return -EINVAL;
+
e = kmalloc(sizeof(*e) + request->length, GFP_KERNEL);
if (e == NULL)
return -ENOMEM;