fix buffer overflow in the moxa driver (CVE-2005-0504)

Signed-off-by: Dann Frazier <dannf@hp.com> Signed-off-by: Andres Salomon <dilinger@debian.org> Signed-off-by: Adrian Bunk <bunk@kernel.org>

fix buffer overflow in the moxa driver (CVE-2005-0504)
Signed-off-by: Dann Frazier <dannf@hp.com> Signed-off-by: Andres Salomon <dilinger@debian.org> Signed-off-by: Adrian Bunk <bunk@kernel.org>
de9e88d5 · Dann Frazier · Adrian Bunk · cc6b1c0e · de9e88d5
Commit de9e88d5 authored Oct 06, 2007 by Dann Frazier Committed by Adrian Bunk Oct 06, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

drivers/char/moxa.c drivers/char/moxa.c +6 -2

No files found.
--- a/drivers/char/moxa.c
+++ b/drivers/char/moxa.c
@@ -1656,7 +1656,7 @@ int MoxaDriverIoctl(unsigned int cmd, unsigned long arg, int port)

 	if(copy_from_user(&dltmp, argp, sizeof(struct dl_str)))
 		return -EFAULT;
-	if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS)
+	if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0)
 		return -EINVAL;

 	switch(cmd)
@@ -2764,6 +2764,8 @@ static int moxaloadbios(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr;
 	int i;

+	if(len < 0 || len > sizeof(moxaBuff))
+		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
 	baseAddr = moxaBaseAddr[cardno];
@@ -2811,7 +2813,7 @@ static int moxaload320b(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr;
 	int i;

-	if(len > sizeof(moxaBuff))
+	if(len < 0 || len > sizeof(moxaBuff))
 		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
@@ -2831,6 +2833,8 @@ static int moxaloadcode(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr, *ofsAddr;
 	int retval, port, i;

+	if(len < 0 || len > sizeof(moxaBuff))
+		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
 	baseAddr = moxaBaseAddr[cardno];