i2o: check copy_from_user() size parameter

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Limit the size of the copy so we don't corrupt memory. Hopefully this
can only be called by root, but fixing this makes the static checkers
happier.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Masanari Iida <standby24x7@gmail.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Dan Carpenter and committed by

Linus Torvalds 13 years ago 9151b398 79bae42d

+10

1 changed file

expand all

drivers

message

i2o

i2o_config.c

+10

drivers/message/i2o/i2o_config.c

··· 687 687 } 688 688 size = size >> 16; 689 689 size *= 4; 690 + if (size > sizeof(rmsg)) { 691 + rcode = -EINVAL; 692 + goto sg_list_cleanup; 693 + } 694 + 690 695 /* Copy in the user's I2O command */ 691 696 if (copy_from_user(rmsg, user_msg, size)) { 692 697 rcode = -EFAULT; ··· 927 922 } 928 923 size = size >> 16; 929 924 size *= 4; 925 + if (size > sizeof(rmsg)) { 926 + rcode = -EFAULT; 927 + goto sg_list_cleanup; 928 + } 929 + 930 930 /* Copy in the user's I2O command */ 931 931 if (copy_from_user(rmsg, user_msg, size)) { 932 932 rcode = -EFAULT;