From 084b6e7765b9554699afa23a50e702a3d0ae4b24 Mon Sep 17 00:00:00 2001 From: Salva Peiró Date: Mon, 3 Mar 2014 08:44:04 +0100 Subject: staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The function c4_ioctl() writes data from user in ifr->ifr_data to the kernel struct data arg, without any iolen bounds checking. This can lead to a arbitrary write outside of the struct data arg. Corrected by adding bounds-checking of iolen before the copy_from_user(). Signed-off-by: Salva Peiró Signed-off-by: Greg Kroah-Hartman --- drivers/staging/cxt1e1/linux.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c index 4a08e16e42f7..79206cb3fb94 100644 --- a/drivers/staging/cxt1e1/linux.c +++ b/drivers/staging/cxt1e1/linux.c @@ -866,6 +866,8 @@ c4_ioctl (struct net_device *ndev, struct ifreq *ifr, int cmd) _IOC_SIZE (iocmd)); #endif iolen = _IOC_SIZE (iocmd); + if (iolen > sizeof(arg)) + return -EFAULT; data = ifr->ifr_data + sizeof (iocmd); if (copy_from_user (&arg, data, iolen)) return -EFAULT; -- cgit v1.2.3