Staging: bcm: Fix an invalid dereference to a kmalloc in IOCTL_BCM_BULK_WRM

Variable IoBuffer.InputLength is chosen from userspace,
and can therefore be less than the intended size. In this
case,the memory from the kmalloc call is eventually cast
to a PBULKWRM_BUFFER. If the IoBuffer.InputLength does not
meet the minimum size of PBULKWRM_BUFFER, then we will get
a kernel Oops. To resolve this issue, this patch verifies
IoBuffer.InputLength meets the minimum size before invoking
the kmalloc call.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index fa4a854ba054b9e46ba92101a2bd3c3812dd2b5d..179707b5e7c7d915a7cc2845b40971af926478a3 100644 (file)
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1137,7 +1137,9 @@ cntrlEnd:
                if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
                        return -EFAULT;
 
-               /* FIXME: restrict length */
+               if (IoBuffer.InputLength < sizeof(ULONG) * 2)
+                       return -EINVAL;
+
                pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL);
                if (!pvBuffer)
                        return -ENOMEM;