mtd: sanity check ioctl input
authorDan Carpenter <error27@gmail.com>
Wed, 8 Sep 2010 19:39:56 +0000 (21:39 +0200)
committerDavid Woodhouse <David.Woodhouse@intel.com>
Sun, 24 Oct 2010 22:52:49 +0000 (23:52 +0100)
If "ur_idx" is wrong we could go past the end of the array.  The
"ur_idx" comes from root so it's not a huge deal, but adding a sanity
check makes the code more robust.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
drivers/mtd/mtdchar.c

index 1d981a5..5895de7 100644 (file)
@@ -546,6 +546,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
                if (get_user(ur_idx, &(ur->regionindex)))
                        return -EFAULT;
 
+               if (ur_idx >= mtd->numeraseregions)
+                       return -EINVAL;
+
                kr = &(mtd->eraseregions[ur_idx]);
 
                if (put_user(kr->offset, &(ur->offset))