[PATCH 1/2] i2o: fix overflow of copy_to_user()

From: Kulikov Vasiliy
Date: Thu Jul 15 2010 - 02:42:54 EST

Next message: Kulikov Vasiliy: "[PATCH 2/2] i2o: check return code from put_user()"
Previous message: Dave Airlie: "Re: [alsa-devel] [PATCH] driver core: remove CONFIG_SYSFS_DEPRECATED"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If (len > reslen) we must not call copy_to_user() since kernel buffer is
smaller than we want to copy. Similar code in this file is correct, so
this bug was a typo.

Signed-off-by: Kulikov Vasiliy <segooon@xxxxxxxxx>
---
drivers/message/i2o/i2o_config.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
index c4b117f..4dd39a0 100644
--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c
@@ -115,7 +115,7 @@ static int i2o_cfg_gethrt(unsigned long arg)
put_user(len, kcmd.reslen);
if (len > reslen)
ret = -ENOBUFS;
- if (copy_to_user(kcmd.resbuf, (void *)hrt, len))
+ else if (copy_to_user(kcmd.resbuf, (void *)hrt, len))
ret = -EFAULT;

return ret;
--
1.7.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kulikov Vasiliy: "[PATCH 2/2] i2o: check return code from put_user()"
Previous message: Dave Airlie: "Re: [alsa-devel] [PATCH] driver core: remove CONFIG_SYSFS_DEPRECATED"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]