Patchwork mtd: sanity check input

login
register
mail settings
Submitter Dan Carpenter
Date Sept. 8, 2010, 7:39 p.m.
Message ID <20100908193956.GB3463@bicker>
Download mbox | patch
Permalink /patch/64201/
State New
Headers show

Comments

Dan Carpenter - Sept. 8, 2010, 7:39 p.m.
If "ur_idx" is wrong we could go past the end of the array.  The
"ur_idx" comes from root so it's not a huge deal, but adding a sanity
check makes the code more robust.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Artem Bityutskiy - Sept. 13, 2010, 8:53 a.m.
On Wed, 2010-09-08 at 21:39 +0200, Dan Carpenter wrote:
> If "ur_idx" is wrong we could go past the end of the array.  The
> "ur_idx" comes from root so it's not a huge deal, but adding a sanity
> check makes the code more robust.
> 
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> 
> diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
> index a825002..9c00549 100644
> --- a/drivers/mtd/mtdchar.c
> +++ b/drivers/mtd/mtdchar.c
> @@ -513,6 +513,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
>  		if (get_user(ur_idx, &(ur->regionindex)))
>  			return -EFAULT;
>  
> +		if (ur_idx >= mtd->numeraseregions)
> +			return -EINVAL;
> +

Pushed to l2-mtd-2.6.git with my "Signed-off-by", thanks.

Patch

diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index a825002..9c00549 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -513,6 +513,9 @@  static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
 		if (get_user(ur_idx, &(ur->regionindex)))
 			return -EFAULT;
 
+		if (ur_idx >= mtd->numeraseregions)
+			return -EINVAL;
+
 		kr = &(mtd->eraseregions[ur_idx]);
 
 		if (put_user(kr->offset, &(ur->offset))