Staging: bcm: Add size maximum size restrictions for IOCTL_IDLE_REQ

In the first alteration, the MAX_CNTL_PKT_SIZE is the maximum size of the control packet in ->Adapter->txctlpacket[] which is defined in InitAdapter(). This caps the size of kmalloc memory allocation. In the second change, this max cap fixes a potential memory corruption bug when subsequent memset and memcpy calls are invoked. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Kevin McKinney <klmckinney1@gmail.com> 2011-09-19 02:34:47 +0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-09-19 21:46:17 +0400
commit: e228b7426e65df0f2e93c783c2c89baabe318b9b (patch)
tree: 0ebdfdcd307d57ae2f5137e70e7192cfbb3dad42 /drivers/staging/bcm/Bcmchar.c
parent: 5ac5bd8754b3dabcf4aea7b5f4a28a1d8494a1b0 (diff)
download: linux-e228b7426e65df0f2e93c783c2c89baabe318b9b.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 1905a83b3385..4c4335383977 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -690,6 +690,9 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
 		if (IoBuffer.InputLength < sizeof(struct link_request))
 			return -EINVAL;
 
+		if (IoBuffer.InputLength > MAX_CNTL_PKT_SIZE)
+			return -EINVAL;
+
 		pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL);
 		if (!pvBuffer)
 			return -ENOMEM;
author	Kevin McKinney <klmckinney1@gmail.com>	2011-09-19 02:34:47 +0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-09-19 21:46:17 +0400
commit	e228b7426e65df0f2e93c783c2c89baabe318b9b (patch)
tree	0ebdfdcd307d57ae2f5137e70e7192cfbb3dad42 /drivers/staging/bcm/Bcmchar.c
parent	5ac5bd8754b3dabcf4aea7b5f4a28a1d8494a1b0 (diff)
download	linux-e228b7426e65df0f2e93c783c2c89baabe318b9b.tar.xz