mtd: sanity check ioctl input
Linux-MTD Mailing List
linux-mtd at lists.infradead.org
Sun Oct 24 20:59:06 EDT 2010
Gitweb: http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=5e59be1f351b0ca9c5a43c627e3ed676ae93a941
Commit: 5e59be1f351b0ca9c5a43c627e3ed676ae93a941
Parent: 0eecf4b20d63e0662d0a9732e9bd8a84bd3f872c
Author: Dan Carpenter <error27 at gmail.com>
AuthorDate: Wed Sep 8 21:39:56 2010 +0200
Committer: David Woodhouse <David.Woodhouse at intel.com>
CommitDate: Sun Oct 24 23:52:49 2010 +0100
mtd: sanity check ioctl input
If "ur_idx" is wrong we could go past the end of the array. The
"ur_idx" comes from root so it's not a huge deal, but adding a sanity
check makes the code more robust.
Signed-off-by: Dan Carpenter <error27 at gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse at intel.com>
---
drivers/mtd/mtdchar.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 1d981a5..5895de7 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -546,6 +546,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
if (get_user(ur_idx, &(ur->regionindex)))
return -EFAULT;
+ if (ur_idx >= mtd->numeraseregions)
+ return -EINVAL;
+
kr = &(mtd->eraseregions[ur_idx]);
if (put_user(kr->offset, &(ur->offset))
More information about the linux-mtd-cvs
mailing list