diff options
| author | Kevin McKinney | 2011-11-06 15:40:11 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman | 2011-11-27 02:11:58 +0100 |
| commit | 41c7b7c0fa2f68afb1154e88597ff6b9b97334cf (patch) | |
| tree | 37f8f318c8c02d890be2b77f3ad625a460ef14f5 /drivers/staging/bcm/InterfaceInit.c | |
| parent | Staging: bcm: hostmibs: Added temporary variable to shorten lines (diff) | |
| download | kernel-qcow2-linux-41c7b7c0fa2f68afb1154e88597ff6b9b97334cf.tar.gz kernel-qcow2-linux-41c7b7c0fa2f68afb1154e88597ff6b9b97334cf.tar.xz kernel-qcow2-linux-41c7b7c0fa2f68afb1154e88597ff6b9b97334cf.zip | |
Staging: bcm: Fix information leak in ioctl: IOCTL_BCM_REGISTER_READ_PRIVATE, IOCTL_BCM_EEPROM_REGISTER_READ
This patch fixes an information leak in ioctl
IOCTL_BCM_REGISTER_READ_PRIVATE and
IOCTL_BCM_EEPROM_REGISTER_READ when determining
the number of bytes to copy to user space. Function,
usb_control_msg, returns the correct number of
bytes from the hardware. Instead of using
this value, we were using a value derived from
user space. In this case, this value could be more
than the hardware allocated. Therefore, this
patch copies the proper number of bytes from
the hardware, and uses this value as the maximum
number of bytes for user space.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/staging/bcm/InterfaceInit.c')
| -rw-r--r-- | drivers/staging/bcm/InterfaceInit.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/staging/bcm/InterfaceInit.c b/drivers/staging/bcm/InterfaceInit.c index a09d35108f04..8e3c586a699c 100644 --- a/drivers/staging/bcm/InterfaceInit.c +++ b/drivers/staging/bcm/InterfaceInit.c @@ -68,7 +68,7 @@ static void InterfaceAdapterFree(PS_INTERFACE_ADAPTER psIntfAdapter) static void ConfigureEndPointTypesThroughEEPROM(PMINI_ADAPTER Adapter) { unsigned long ulReg = 0; - int ret; + int bytes; /* Program EP2 MAX_PKT_SIZE */ ulReg = ntohl(EP2_MPS_REG); @@ -94,8 +94,8 @@ static void ConfigureEndPointTypesThroughEEPROM(PMINI_ADAPTER Adapter) BeceemEEPROMBulkWrite(Adapter, (PUCHAR)&ulReg, 0x140, 4, TRUE); /* Program TX EP as interrupt(Alternate Setting) */ - ret = rdmalt(Adapter, 0x0F0110F8, (u32 *)&ulReg, sizeof(u32)); - if (ret) { + bytes = rdmalt(Adapter, 0x0F0110F8, (u32 *)&ulReg, sizeof(u32)); + if (bytes < 0) { BCM_DEBUG_PRINT(Adapter, DBG_TYPE_INITEXIT, DRV_ENTRY, DBG_LVL_ALL, "reading of Tx EP failed\n"); return; @@ -430,6 +430,7 @@ static int InterfaceAdapterInit(PS_INTERFACE_ADAPTER psIntfAdapter) int usedIntOutForBulkTransfer = 0 ; BOOLEAN bBcm16 = FALSE; UINT uiData = 0; + int bytes; /* Store the usb dev into interface adapter */ psIntfAdapter->udev = usb_get_dev(interface_to_usbdev(psIntfAdapter->interface)); @@ -438,9 +439,10 @@ static int InterfaceAdapterInit(PS_INTERFACE_ADAPTER psIntfAdapter) psIntfAdapter->psAdapter->interface_rdm = BcmRDM; psIntfAdapter->psAdapter->interface_wrm = BcmWRM; - retval = rdmalt(psIntfAdapter->psAdapter, CHIP_ID_REG, + bytes = rdmalt(psIntfAdapter->psAdapter, CHIP_ID_REG, (u32 *)&(psIntfAdapter->psAdapter->chip_id), sizeof(u32)); - if (retval) { + if (bytes < 0) { + retval = bytes; BCM_DEBUG_PRINT(psIntfAdapter->psAdapter, DBG_TYPE_PRINTK, 0, 0, "CHIP ID Read Failed\n"); return retval; } |