From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat, 29 Oct 2011 07:20:20 +0000 (+0300)
Subject: Staging: sep: potential buffer overflow in ioctl
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=9638b67ba25b4a008767fca3b6f52d24400a8d1d;p=linux-beck.git

Staging: sep: potential buffer overflow in ioctl

tail_size is determined by several variables that come from the user
so we should verify that it's not too large.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/staging/sep/sep_driver.c b/drivers/staging/sep/sep_driver.c
index 8ac3faea2d2f..e624e2874902 100644
--- a/drivers/staging/sep/sep_driver.c
+++ b/drivers/staging/sep/sep_driver.c
@@ -2120,6 +2120,8 @@ static int sep_prepare_input_output_dma_table_in_dcb(struct sep_device *sep,
 			}
 		}
 		if (tail_size) {
+			if (tail_size > sizeof(dcb_table_ptr->tail_data))
+				return -EINVAL;
 			if (is_kva == true) {
 				memcpy(dcb_table_ptr->tail_data,
 					(void *)(app_in_address + data_in_size -