summaryrefslogtreecommitdiff
path: root/drivers/firewire/core-cdev.c
diff options
context:
space:
mode:
authorClemens Ladisch <clemens@ladisch.de>2010-05-19 10:28:32 +0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2010-06-09 21:42:18 +0400
commita10c0ce76098857b899505d05de9f2e13ddf7a7a (patch)
tree130592c6baaff2e38dd813448337dded1ee1645b /drivers/firewire/core-cdev.c
parent262444eecce40950af19ea4d75a3dc03b3c07283 (diff)
downloadlinux-a10c0ce76098857b899505d05de9f2e13ddf7a7a.tar.xz
firewire: check cdev response length
Add a check that the data length in the SEND_RESPONSE ioctl is correct. Incidentally, this also fixes the previously wrong response length of software-handled lock requests. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers/firewire/core-cdev.c')
-rw-r--r--drivers/firewire/core-cdev.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9d1a1a1a83c9..50332b84f49a 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -756,9 +756,12 @@ static int ioctl_send_response(struct client *client, union ioctl_arg *arg)
if (is_fcp_request(r->request))
goto out;
- if (a->length < r->length)
- r->length = a->length;
- if (copy_from_user(r->data, u64_to_uptr(a->data), r->length)) {
+ if (a->length != fw_get_response_length(r->request)) {
+ ret = -EINVAL;
+ kfree(r->request);
+ goto out;
+ }
+ if (copy_from_user(r->data, u64_to_uptr(a->data), a->length)) {
ret = -EFAULT;
kfree(r->request);
goto out;