[patch] mtd: sanity check input
Dan Carpenter
error27 at gmail.com
Wed Sep 8 15:39:56 EDT 2010
If "ur_idx" is wrong we could go past the end of the array. The
"ur_idx" comes from root so it's not a huge deal, but adding a sanity
check makes the code more robust.
Signed-off-by: Dan Carpenter <error27 at gmail.com>
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index a825002..9c00549 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -513,6 +513,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
if (get_user(ur_idx, &(ur->regionindex)))
return -EFAULT;
+ if (ur_idx >= mtd->numeraseregions)
+ return -EINVAL;
+
kr = &(mtd->eraseregions[ur_idx]);
if (put_user(kr->offset, &(ur->offset))
More information about the linux-mtd
mailing list