From: Alan Cox Date: Mon, 30 Jul 2012 21:41:30 +0000 (-0700) Subject: drivers/message/i2o/i2o_config.c: bound allocation X-Git-Tag: v3.6-rc1~41^2~54 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=261eba73353edd48b0c0cb7aad59553dfc712ebc;p=profile%2Fcommon%2Fkernel-common.git drivers/message/i2o/i2o_config.c: bound allocation Fix a case where users can try to allocate arbitarily large amounts of memory. 64K is overkill for a config request so apply an upper bound. Signed-off-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c index 098de2b..9a49c24 100644 --- a/drivers/message/i2o/i2o_config.c +++ b/drivers/message/i2o/i2o_config.c @@ -188,6 +188,13 @@ static int i2o_cfg_parms(unsigned long arg, unsigned int type) if (!dev) return -ENXIO; + /* + * Stop users being able to try and allocate arbitary amounts + * of DMA space. 64K is way more than sufficient for this. + */ + if (kcmd.oplen > 65536) + return -EMSGSIZE; + ops = memdup_user(kcmd.opbuf, kcmd.oplen); if (IS_ERR(ops)) return PTR_ERR(ops);