From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 9 Jan 2013 07:09:19 +0000 (+0300)
Subject: Staging: bcm: copying more data than intended
X-Git-Tag: v3.9-rc1~127^2~459
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cb9cc9cae9ebde1148e48c9682205af8518ec0c9;p=platform%2Fupstream%2Fkernel-adaptation-pc.git

Staging: bcm: copying more data than intended

This was changed to bcm_flash2x_cs_info instead of bcm_flash_cs_info
when we got rid of the typedefs.  bcm_flash2x_cs_info is quite a bit
larger than bcm_flash_cs_info (436 bytes instead of 96) so it would
corrupt user memory and it's an info leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 4ba1a5d..491e2bf 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1792,7 +1792,7 @@ cntrlEnd:
 			if (IoBuffer.OutputLength < sizeof(struct bcm_flash_cs_info))
 				return -EINVAL;
 
-			if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(struct bcm_flash2x_cs_info)))
+			if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(struct bcm_flash_cs_info)))
 				return -EFAULT;
 		}
 	}