forked from luck/tmp_suning_uos_patched
firewire: cdev: check write quadlet request length to avoid buffer overflow
Check that the data length of a write quadlet request actually is large enough for a quadlet. Otherwise, fw_fill_request could access the four bytes after the end of the outbound_transaction_event structure. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Modification of Clemens' change: Consolidate the check into init_request() which is used by the affected ioctl_send_request() and ioctl_send_broadcast_request() and the unaffected ioctl_send_stream_packet(), to save a few lines of code. Note, since struct outbound_transaction_event *e is slab-allocated, such an out-of-bounds access won't hit unallocated memory but may result in a (virtually impossible to exploit) information disclosure. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
This commit is contained in:
parent
250b2b6dd4
commit
a8e93f3dcc
|
@ -563,6 +563,10 @@ static int init_request(struct client *client,
|
|||
(request->length > 4096 || request->length > 512 << speed))
|
||||
return -EIO;
|
||||
|
||||
if (request->tcode == TCODE_WRITE_QUADLET_REQUEST &&
|
||||
request->length < 4)
|
||||
return -EINVAL;
|
||||
|
||||
e = kmalloc(sizeof(*e) + request->length, GFP_KERNEL);
|
||||
if (e == NULL)
|
||||
return -ENOMEM;
|
||||
|
|
Loading…
Reference in New Issue
Block a user