firewire: cdev: check write quadlet request length to avoid buffer overflow
authorClemens Ladisch <clemens@ladisch.de>
Wed, 7 Jul 2010 12:37:30 +0000 (14:37 +0200)
committerStefan Richter <stefanr@s5r6.in-berlin.de>
Tue, 13 Jul 2010 07:47:47 +0000 (09:47 +0200)
Check that the data length of a write quadlet request actually is large
enough for a quadlet.  Otherwise, fw_fill_request could access the four
bytes after the end of the outbound_transaction_event structure.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Modification of Clemens' change:  Consolidate the check into
init_request() which is used by the affected ioctl_send_request() and
ioctl_send_broadcast_request() and the unaffected
ioctl_send_stream_packet(), to save a few lines of code.

Note, since struct outbound_transaction_event *e is slab-allocated, such
an out-of-bounds access won't hit unallocated memory but may result in a
(virtually impossible to exploit) information disclosure.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
drivers/firewire/core-cdev.c

index d8ac0ce2d6bfcb90e49ac8f611cac6aa3c73d4c1..f7559bfeaba3c86a0b72c184012a428fc46d2319 100644 (file)
@@ -563,6 +563,10 @@ static int init_request(struct client *client,
            (request->length > 4096 || request->length > 512 << speed))
                return -EIO;
 
+       if (request->tcode == TCODE_WRITE_QUADLET_REQUEST &&
+           request->length < 4)
+               return -EINVAL;
+
        e = kmalloc(sizeof(*e) + request->length, GFP_KERNEL);
        if (e == NULL)
                return -ENOMEM;