Re: [PATCH] firewire: cdev: fix information leak

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Stefan Richter

Subject: Re: [PATCH] firewire: cdev: fix information leak

Date: Tuesday, April 6, 2010 - 11:30 pm

Stefan Richter wrote:
quoted text> --- a/drivers/firewire/core-cdev.c
> +++ b/drivers/firewire/core-cdev.c
> @@ -1346,41 +1346,43 @@ static int (* const ioctl_handlers[])(st
>  static int dispatch_ioctl(struct client *client,
>  			  unsigned int cmd, void __user *arg)
>  {
>  	union ioctl_arg buffer;
>  	int ret;
>  
>  	if (fw_device_is_shutdown(client->device))
>  		return -ENODEV;
>  
>  	if (_IOC_TYPE(cmd) != '#' ||
>  	    _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers))
>  		return -EINVAL;
>  
> -	if (_IOC_DIR(cmd) & _IOC_WRITE) {
> -		if (_IOC_SIZE(cmd) > sizeof(buffer) ||
> -		    copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
> +	if (_IOC_SIZE(cmd) > sizeof(buffer))
> +		return -EFAULT;

I'll combine this into the preceding -EINVAL return.  Cf. man ioctl.

quoted text> +
> +	if (_IOC_DIR(cmd) == _IOC_READ)
> +		memset(&buffer, 0, _IOC_SIZE(cmd));
> +
> +	if (_IOC_DIR(cmd) & _IOC_WRITE)
> +		if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
>  			return -EFAULT;
> -	}
>  
>  	ret = ioctl_handlers[_IOC_NR(cmd)](client, &buffer);
>  	if (ret < 0)
>  		return ret;
>  
> -	if (_IOC_DIR(cmd) & _IOC_READ) {
> -		if (_IOC_SIZE(cmd) > sizeof(buffer) ||
> -		    copy_to_user(arg, &buffer, _IOC_SIZE(cmd)))
> +	if (_IOC_DIR(cmd) & _IOC_READ)
> +		if (copy_to_user(arg, &buffer, _IOC_SIZE(cmd)))
>  			return -EFAULT;
> -	}
>  
>  	return ret;
>  }

-- 
Stefan Richter
-=====-==-=- -=-- --===
http://arcgraph.de/sr/
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH] firewire: cdev: fix information leak, Stefan Richter, (Tue Apr 6, 2:59 pm)

Re: [PATCH] firewire: cdev: fix information leak, Stefan Richter, (Tue Apr 6, 11:30 pm)

Navigation

Popular discussions


linux-kernel:
Ingo Molnar	Re: [patch 00/13] Syslets, "Threadlets", generic AIO support, v3
Vivek Goyal	[PATCH] x86_64: Display more intutive error message if kernel is not 2MB aligned
Andi Kleen	[PATCH] [0/35] Some x86 2.6.22 candidate patches for review
Andrew Morton	Re: [PATCH] lazy freeing of memory through MADV_FREE 2/2
Peter Zijlstra	Re: [RFC PATCH 1/2] Marker probes in futex.c
git:
Felipe Contreras	Re: [kernel.org users] [RFD] On deprecating "git-foo" for builtins
Johannes Schindelin	[PATCH] fetch: refuse to fetch into the current branch in a non-bare repository
Johannes Schindelin	Re: [PATCH] Fix install-doc-quick target
Nicolas Pitre	Re: About git and the use of SHA-1
Alex Riesen	Re: git exclude patterns for directory
linux-netdev:
Ursula Braun	[patch 2/8] [PATCH] af_iucv: sync sk shutdown flag if iucv path is quiesced
David Dillow	Re: [PATCH 2.6.30-rc4] r8169: avoid losing MSI interrupts
Andi Kleen	Re: RFC: Nagle latency tuning
Paul E. McKenney	Re: [PATCH 1/3] rcu: Introduce hlist_nulls variant of hlist
Russell King	Re: [BUG] New Kernel Bugs
git-commits-head:
Linux Kernel Mailing List	sh: Fix compile error by operands(mov.l) in sh3/entry.S
Linux Kernel Mailing List	New device ID for sc92031 [1088:2031]
Linux Kernel Mailing List	powerpc/kexec: Add support for FSL-BookE
Linux Kernel Mailing List	drivers/acpi: use kasprintf
Linux Kernel Mailing List	[ARM] 5388/1: Add hwcap bits for VFPv3 and VFPv3D16
openbsd-misc:
Andres Salazar	About priorities in /etc/resolv.conf
Rob Shepherd	x86 hardware for router system
Henning Brauer	Re: Sun Blade 1000?
Mitja Muženič	Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Damien Miller	Re: Patching a SSH 'Weakness'

Colocation donated by:

Syndicate