Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9c5d7700 authored by Stephen Hemminger's avatar Stephen Hemminger
Browse files

beceem: don't overrun user buffer on read 



Serious bug in original code, if app reads 10 bytes but 20 byte msg
received memory would get overwritten.

Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
parent 5cf084f4

drivers/staging/bcm/Bcmchar.c

+1 −1
Original line number Diff line number Diff line
@@ -139,7 +139,7 @@ static ssize_t bcm_char_read(struct file *filp, char __user *buf, size_t size, l 
	if(Packet)

	{

		PktLen = Packet->len;

		if(copy_to_user(buf, Packet->data, PktLen))

		if(copy_to_user(buf, Packet->data, min_t(size_t, PktLen, size)))

		{

			dev_kfree_skb(Packet);

			BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "\nReturning from copy to user failure \n");