Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / kernel / msm / a8e93f3dccc066cd6dd1e9db1e35942914fc57d1
commita8e93f3dccc066cd6dd1e9db1e35942914fc57d1[log] [tgz]
authorClemens Ladisch <clemens@ladisch.de>Wed Jul 07 14:37:30 2010 +0200
committerStefan Richter <stefanr@s5r6.in-berlin.de>Tue Jul 13 09:47:47 2010 +0200
tree9165f872029ef76e99fd40c0afb6d8c896f8cabc
parent250b2b6dd421c9f8844a867d2ac06e0661e0ad93 [diff]
firewire: cdev: check write quadlet request length to avoid buffer overflow

Check that the data length of a write quadlet request actually is large
enough for a quadlet.  Otherwise, fw_fill_request could access the four
bytes after the end of the outbound_transaction_event structure.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>

Modification of Clemens' change:  Consolidate the check into
init_request() which is used by the affected ioctl_send_request() and
ioctl_send_broadcast_request() and the unaffected
ioctl_send_stream_packet(), to save a few lines of code.

Note, since struct outbound_transaction_event *e is slab-allocated, such
an out-of-bounds access won't hit unallocated memory but may result in a
(virtually impossible to exploit) information disclosure.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
1 file changed
tree: 9165f872029ef76e99fd40c0afb6d8c896f8cabc
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. MAINTAINERS
  28. Makefile
  29. README
  30. REPORTING-BUGS