diff options
| author | Kevin McKinney <klmckinney1@gmail.com> | 2011-11-06 09:40:11 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-26 17:11:58 -0800 |
| commit | 41c7b7c0fa2f68afb1154e88597ff6b9b97334cf (patch) | |
| tree | 37f8f318c8c02d890be2b77f3ad625a460ef14f5 /drivers/staging/bcm/Misc.c | |
| parent | 57bfa9d41741614cb945064521fc8904440313c7 (diff) | |
Staging: bcm: Fix information leak in ioctl: IOCTL_BCM_REGISTER_READ_PRIVATE, IOCTL_BCM_EEPROM_REGISTER_READ
This patch fixes an information leak in ioctl
IOCTL_BCM_REGISTER_READ_PRIVATE and
IOCTL_BCM_EEPROM_REGISTER_READ when determining
the number of bytes to copy to user space. Function,
usb_control_msg, returns the correct number of
bytes from the hardware. Instead of using
this value, we were using a value derived from
user space. In this case, this value could be more
than the hardware allocated. Therefore, this
patch copies the proper number of bytes from
the hardware, and uses this value as the maximum
number of bytes for user space.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/staging/bcm/Misc.c')
| -rw-r--r-- | drivers/staging/bcm/Misc.c | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/drivers/staging/bcm/Misc.c b/drivers/staging/bcm/Misc.c index e9f29d597518..c7725e141fd5 100644 --- a/drivers/staging/bcm/Misc.c +++ b/drivers/staging/bcm/Misc.c @@ -814,6 +814,7 @@ int reset_card_proc(PMINI_ADAPTER ps_adapter) PMINI_ADAPTER Adapter = GET_BCM_ADAPTER(gblpnetdev); PS_INTERFACE_ADAPTER psIntfAdapter = NULL; unsigned int value = 0, uiResetValue = 0; + int bytes; psIntfAdapter = ((PS_INTERFACE_ADAPTER)(ps_adapter->pvInterfaceAdapter)); ps_adapter->bDDRInitDone = FALSE; @@ -848,8 +849,9 @@ int reset_card_proc(PMINI_ADAPTER ps_adapter) ps_adapter->chip_id == BCS250_BC || ps_adapter->chip_id == BCS220_3) { - retval = rdmalt(ps_adapter, HPM_CONFIG_LDO145, &value, sizeof(value)); - if (retval < 0) { + bytes = rdmalt(ps_adapter, HPM_CONFIG_LDO145, &value, sizeof(value)); + if (bytes < 0) { + retval = bytes; BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "read failed with status :%d", retval); goto err_exit; } @@ -862,8 +864,9 @@ int reset_card_proc(PMINI_ADAPTER ps_adapter) } } } else { - retval = rdmalt(ps_adapter, 0x0f007018, &value, sizeof(value)); - if (retval < 0) { + bytes = rdmalt(ps_adapter, 0x0f007018, &value, sizeof(value)); + if (bytes < 0) { + retval = bytes; BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "read failed with status :%d", retval); goto err_exit; } @@ -925,11 +928,16 @@ err_exit: int run_card_proc(PMINI_ADAPTER ps_adapter) { + int status = STATUS_SUCCESS; + int bytes; + unsigned int value = 0; { - if (rdmalt(ps_adapter, CLOCK_RESET_CNTRL_REG_1, &value, sizeof(value)) < 0) { + bytes = rdmalt(ps_adapter, CLOCK_RESET_CNTRL_REG_1, &value, sizeof(value)); + if (bytes < 0) { + status = bytes; BCM_DEBUG_PRINT(ps_adapter, DBG_TYPE_INITEXIT, MP_INIT, DBG_LVL_ALL, "%s:%d\n", __func__, __LINE__); - return STATUS_FAILURE; + return status; } if (ps_adapter->bFlashBoot) @@ -942,7 +950,7 @@ int run_card_proc(PMINI_ADAPTER ps_adapter) return STATUS_FAILURE; } } - return STATUS_SUCCESS; + return status; } int InitCardAndDownloadFirmware(PMINI_ADAPTER ps_adapter) @@ -1215,6 +1223,7 @@ static unsigned char *ReadMacAddrEEPROM(PMINI_ADAPTER Adapter, ulong dwAddress) int status = 0, i = 0; unsigned int temp = 0; unsigned char *pucmacaddr = kmalloc(MAC_ADDRESS_SIZE, GFP_KERNEL); + int bytes; if (!pucmacaddr) { BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "No Buffers to Read the EEPROM Address\n"); @@ -1231,8 +1240,9 @@ static unsigned char *ReadMacAddrEEPROM(PMINI_ADAPTER Adapter, ulong dwAddress) } for (i = 0; i < MAC_ADDRESS_SIZE; i++) { - status = rdmalt(Adapter, EEPROM_READ_DATA_Q_REG, &temp, sizeof(temp)); - if (status != STATUS_SUCCESS) { + bytes = rdmalt(Adapter, EEPROM_READ_DATA_Q_REG, &temp, sizeof(temp)); + if (bytes < 0) { + status = bytes; BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "rdm Failed..\n"); kfree(pucmacaddr); pucmacaddr = NULL; @@ -1574,11 +1584,13 @@ void update_per_sf_desc_cnts(PMINI_ADAPTER Adapter) { INT iIndex = 0; u32 uibuff[MAX_TARGET_DSX_BUFFERS]; + int bytes; if (!atomic_read(&Adapter->uiMBupdate)) return; - if (rdmaltWithLock(Adapter, TARGET_SFID_TXDESC_MAP_LOC, (PUINT)uibuff, sizeof(UINT) * MAX_TARGET_DSX_BUFFERS) < 0) { + bytes = rdmaltWithLock(Adapter, TARGET_SFID_TXDESC_MAP_LOC, (PUINT)uibuff, sizeof(UINT) * MAX_TARGET_DSX_BUFFERS); + if (bytes < 0) { BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "rdm failed\n"); return; } |