i2o: check copy_from_user() size parameter Limit the size of the copy so we don't corrupt memory. Hopefully this can only be called by root, but fixing this makes the static checkers happier. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Jiri Kosina <jkosina@suse.cz> Cc: Masanari Iida <standby24x7@gmail.com> Cc: Alan Cox <alan@linux.intel.com> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 9151b3982dafaa87bca3834c4d20db831ca98bcb [log] [tgz]
author: Dan Carpenter <dan.carpenter@oracle.com> Tue Apr 30 15:27:47 2013 -0700
committer: Linus Torvalds <torvalds@linux-foundation.org> Tue Apr 30 17:04:04 2013 -0700
tree: badf7c6879d8dc28de2c7e7b05f01e9fcb9ed6c0
parent: 79bae42d51a5d498500c890c19ef76df41d2bf59 [diff] [blame]
diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
index 5451bef..a60c188 100644
--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c

@@ -687,6 +687,11 @@
 		}
 		size = size >> 16;
 		size *= 4;
+		if (size > sizeof(rmsg)) {
+			rcode = -EINVAL;
+			goto sg_list_cleanup;
+		}
+
 		/* Copy in the user's I2O command */
 		if (copy_from_user(rmsg, user_msg, size)) {
 			rcode = -EFAULT;
@@ -922,6 +927,11 @@
 		}
 		size = size >> 16;
 		size *= 4;
+		if (size > sizeof(rmsg)) {
+			rcode = -EFAULT;
+			goto sg_list_cleanup;
+		}
+
 		/* Copy in the user's I2O command */
 		if (copy_from_user(rmsg, user_msg, size)) {
 			rcode = -EFAULT;
commit	9151b3982dafaa87bca3834c4d20db831ca98bcb	[log] [tgz]
author	Dan Carpenter <dan.carpenter@oracle.com>	Tue Apr 30 15:27:47 2013 -0700
committer	Linus Torvalds <torvalds@linux-foundation.org>	Tue Apr 30 17:04:04 2013 -0700
tree	badf7c6879d8dc28de2c7e7b05f01e9fcb9ed6c0
parent	79bae42d51a5d498500c890c19ef76df41d2bf59 [diff] [blame]