Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cb9cc9ca authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

Staging: bcm: copying more data than intended 



This was changed to bcm_flash2x_cs_info instead of bcm_flash_cs_info
when we got rid of the typedefs.  bcm_flash2x_cs_info is quite a bit
larger than bcm_flash_cs_info (436 bytes instead of 96) so it would
corrupt user memory and it's an info leak.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b3d07cf5

drivers/staging/bcm/Bcmchar.c

+1 −1
Original line number Diff line number Diff line
@@ -1792,7 +1792,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) 
			if (IoBuffer.OutputLength < sizeof(struct bcm_flash_cs_info))

				return -EINVAL;



			if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(struct bcm_flash2x_cs_info)))

			if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(struct bcm_flash_cs_info)))

				return -EFAULT;

		}

	}