From: Kevin McKinney Date: Thu, 15 Dec 2011 03:44:33 +0000 (-0500) Subject: Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=b72a7c859efc9e0cf13600b30a555457a08dd86f;p=linux-beck.git Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is responsible for sending the driver version to userspace. However, the requested size stored in IoBuffer.OutputLength may be incorrect. Therefore, we altered the code to send the exact length of the version, plus one for the null character. Signed-off-by: Kevin McKinney Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index c4d7a6194180..fa4a854ba054 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -999,11 +999,15 @@ cntrlEnd: } case IOCTL_BCM_GET_DRIVER_VERSION: { + ulong len; + /* Copy Ioctl Buffer structure */ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER))) return -EFAULT; - if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength)) + len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1); + + if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len)) return -EFAULT; Status = STATUS_SUCCESS; break;