[patch] i2o: check copy_from_user() size parameter

Dan Carpenter Thu, 28 Feb 2013 21:24:25 -0800

Limit the size of the copy so we don't corrupt memory.  Hopefully
this can only be called by root, but fixing this makes the static
checkers happier.


Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>

diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
index 5451bef..a60c188 100644
--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c
@@ -687,6 +687,11 @@ static int i2o_cfg_passthru32(struct file *file, unsigned 
cmnd,
                }
                size = size >> 16;
                size *= 4;
+               if (size > sizeof(rmsg)) {
+                       rcode = -EINVAL;
+                       goto sg_list_cleanup;
+               }
+
                /* Copy in the user's I2O command */
                if (copy_from_user(rmsg, user_msg, size)) {
                        rcode = -EFAULT;
@@ -922,6 +927,11 @@ static int i2o_cfg_passthru(unsigned long arg)
                }
                size = size >> 16;
                size *= 4;
+               if (size > sizeof(rmsg)) {
+                       rcode = -EFAULT;
+                       goto sg_list_cleanup;
+               }
+
                /* Copy in the user's I2O command */
                if (copy_from_user(rmsg, user_msg, size)) {
                        rcode = -EFAULT;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[patch] i2o: check copy_from_user() size parameter

Reply via email to