From e4c536b72fd6b25c7f4f9c6f293f43ba287b8e8f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 14 Sep 2012 09:56:00 +0300 Subject: [PATCH] Staging: silicom: add some range checks to proc functions If you tried to cat more than 255 characters (the last character is for the terminator) to these proc files then it would corrupt kernel memory. Signed-off-by: Dan Carpenter Signed-off-by: Daniel Cotey Signed-off-by: Greg Kroah-Hartman --- drivers/staging/silicom/bp_mod.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/drivers/staging/silicom/bp_mod.c b/drivers/staging/silicom/bp_mod.c index 6e999c7..1b3f5e7 100644 --- a/drivers/staging/silicom/bp_mod.c +++ b/drivers/staging/silicom/bp_mod.c @@ -8227,6 +8227,9 @@ set_dis_bypass_pfs(struct file *file, const char *buffer, int bypass_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8256,6 +8259,9 @@ set_dis_tap_pfs(struct file *file, const char *buffer, int tap_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8285,6 +8291,9 @@ set_dis_disc_pfs(struct file *file, const char *buffer, int tap_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8374,6 +8383,9 @@ set_bypass_pwup_pfs(struct file *file, const char *buffer, int bypass_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8403,6 +8415,9 @@ set_bypass_pwoff_pfs(struct file *file, const char *buffer, int bypass_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8432,6 +8447,9 @@ set_tap_pwup_pfs(struct file *file, const char *buffer, int tap_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8461,6 +8479,9 @@ set_disc_pwup_pfs(struct file *file, const char *buffer, int tap_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } @@ -8570,6 +8591,9 @@ set_std_nic_pfs(struct file *file, const char *buffer, int bypass_param = 0, length = 0; + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(&kbuf, buffer, count)) { return -1; } -- 2.7.4