Message ID | 20100908193956.GB3463@bicker |
---|---|
State | Accepted |
Commit | 5e59be1f351b0ca9c5a43c627e3ed676ae93a941 |
Headers | show |
On Wed, 2010-09-08 at 21:39 +0200, Dan Carpenter wrote: > If "ur_idx" is wrong we could go past the end of the array. The > "ur_idx" comes from root so it's not a huge deal, but adding a sanity > check makes the code more robust. > > Signed-off-by: Dan Carpenter <error27@gmail.com> > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > index a825002..9c00549 100644 > --- a/drivers/mtd/mtdchar.c > +++ b/drivers/mtd/mtdchar.c > @@ -513,6 +513,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg) > if (get_user(ur_idx, &(ur->regionindex))) > return -EFAULT; > > + if (ur_idx >= mtd->numeraseregions) > + return -EINVAL; > + Pushed to l2-mtd-2.6.git with my "Signed-off-by", thanks.
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index a825002..9c00549 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -513,6 +513,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg) if (get_user(ur_idx, &(ur->regionindex))) return -EFAULT; + if (ur_idx >= mtd->numeraseregions) + return -EINVAL; + kr = &(mtd->eraseregions[ur_idx]); if (put_user(kr->offset, &(ur->offset))
If "ur_idx" is wrong we could go past the end of the array. The "ur_idx" comes from root so it's not a huge deal, but adding a sanity check makes the code more robust. Signed-off-by: Dan Carpenter <error27@gmail.com>