diff options
| author | Clemens Ladisch <clemens@ladisch.de> | 2010-07-07 14:37:30 +0200 |
|---|---|---|
| committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2010-07-13 09:47:47 +0200 |
| commit | a8e93f3dccc066cd6dd1e9db1e35942914fc57d1 (patch) | |
| tree | 9165f872029ef76e99fd40c0afb6d8c896f8cabc /drivers/firewire/core-transaction.c | |
| parent | 250b2b6dd421c9f8844a867d2ac06e0661e0ad93 (diff) | |
| download | blackbird-obmc-linux-a8e93f3dccc066cd6dd1e9db1e35942914fc57d1.tar.gz blackbird-obmc-linux-a8e93f3dccc066cd6dd1e9db1e35942914fc57d1.zip | |
firewire: cdev: check write quadlet request length to avoid buffer overflow
Check that the data length of a write quadlet request actually is large
enough for a quadlet. Otherwise, fw_fill_request could access the four
bytes after the end of the outbound_transaction_event structure.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Modification of Clemens' change: Consolidate the check into
init_request() which is used by the affected ioctl_send_request() and
ioctl_send_broadcast_request() and the unaffected
ioctl_send_stream_packet(), to save a few lines of code.
Note, since struct outbound_transaction_event *e is slab-allocated, such
an out-of-bounds access won't hit unallocated memory but may result in a
(virtually impossible to exploit) information disclosure.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers/firewire/core-transaction.c')
0 files changed, 0 insertions, 0 deletions
