Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION

This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is responsible for sending the driver version to userspace. However, the requested size stored in IoBuffer.OutputLength may be incorrect. Therefore, we altered the code to send the exact length of the version, plus one for the null character. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Kevin McKinney <klmckinney1@gmail.com> 2011-12-15 03:44:33 (GMT)
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-12-22 21:32:45 (GMT)
commit: b72a7c859efc9e0cf13600b30a555457a08dd86f (patch)
tree: 3d284a1e03b1725c5c0f1f6d19a67d9a9f188d19 /drivers/staging/bcm
parent: d1840eda7add1d0fdee5cf7ad2ac7ad0f656eecb (diff)
download: linux-b72a7c859efc9e0cf13600b30a555457a08dd86f.tar.xz
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index c4d7a61..fa4a854b 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -999,11 +999,15 @@ cntrlEnd:
 	}
 
 	case IOCTL_BCM_GET_DRIVER_VERSION: {
+		ulong len;
+
 		/* Copy Ioctl Buffer structure */
 		if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
 			return -EFAULT;
 
-		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
+		len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
+
+		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len))
 			return -EFAULT;
 		Status = STATUS_SUCCESS;
 		break;
author	Kevin McKinney <klmckinney1@gmail.com>	2011-12-15 03:44:33 (GMT)
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-12-22 21:32:45 (GMT)
commit	b72a7c859efc9e0cf13600b30a555457a08dd86f (patch)
tree	3d284a1e03b1725c5c0f1f6d19a67d9a9f188d19 /drivers/staging/bcm
parent	d1840eda7add1d0fdee5cf7ad2ac7ad0f656eecb (diff)
download	linux-b72a7c859efc9e0cf13600b30a555457a08dd86f.tar.xz