From: Dan Carpenter Date: Tue, 29 Oct 2013 19:07:47 +0000 (+0300) Subject: staging: ozwpan: prevent overflow in oz_cdev_write() X-Git-Tag: v4.0~3053 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c2c65cd2e14ada6de44cb527e7f1990bede24e15;p=platform%2Fkernel%2Flinux-amlogic.git staging: ozwpan: prevent overflow in oz_cdev_write() We need to check "count" so we don't overflow the ei->data buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds --- diff --git a/drivers/staging/ozwpan/ozcdev.c b/drivers/staging/ozwpan/ozcdev.c index 6ccb64fb0786..6ce0af9977d8 100644 --- a/drivers/staging/ozwpan/ozcdev.c +++ b/drivers/staging/ozwpan/ozcdev.c @@ -155,6 +155,9 @@ static ssize_t oz_cdev_write(struct file *filp, const char __user *buf, struct oz_app_hdr *app_hdr; struct oz_serial_ctx *ctx; + if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr)) + return -EINVAL; + spin_lock_bh(&g_cdev.lock); pd = g_cdev.active_pd; if (pd)