[thirdparty/kernel/stable-queue.git] / releases / 3.10.94 / mwifiex-fix-mwifiex_rdeeprom_read.patch

From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 21 Sep 2015 19:19:53 +0300
Subject: mwifiex: fix mwifiex_rdeeprom_read()

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream.

There were several bugs here.

1)  The done label was in the wrong place so we didn't copy any
    information out when there was no command given.

2)  We were using PAGE_SIZE as the size of the buffer instead of
    "PAGE_SIZE - pos".

3)  snprintf() returns the number of characters that would have been
    printed if there were enough space.  If there was not enough space
    (and we had fixed the memory corruption bug #2) then it would result
    in an information leak when we do simple_read_from_buffer().  I've
    changed it to use scnprintf() instead.

I also removed the initialization at the start of the function, because
I thought it made the code a little more clear.

Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/mwifiex/debugfs.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/drivers/net/wireless/mwifiex/debugfs.c
+++ b/drivers/net/wireless/mwifiex/debugfs.c
@@ -637,7 +637,7 @@ mwifiex_rdeeprom_read(struct file *file,
 		(struct mwifiex_private *) file->private_data;
 	unsigned long addr = get_zeroed_page(GFP_KERNEL);
 	char *buf = (char *) addr;
-	int pos = 0, ret = 0, i;
+	int pos, ret, i;
 	u8 value[MAX_EEPROM_DATA];
 
 	if (!buf)
@@ -645,7 +645,7 @@ mwifiex_rdeeprom_read(struct file *file,
 
 	if (saved_offset == -1) {
 		/* No command has been given */
-		pos += snprintf(buf, PAGE_SIZE, "0");
+		pos = snprintf(buf, PAGE_SIZE, "0");
 		goto done;
 	}
 
@@ -654,17 +654,17 @@ mwifiex_rdeeprom_read(struct file *file,
 				  (u16) saved_bytes, value);
 	if (ret) {
 		ret = -EINVAL;
-		goto done;
+		goto out_free;
 	}
 
-	pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
+	pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
 
 	for (i = 0; i < saved_bytes; i++)
-		pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]);
-
-	ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
+		pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]);
 
 done:
+	ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
+out_free:
 	free_page(addr);
 	return ret;
 }
Commit	Line	Data
d3cd607a GKH	1	From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001
	2	From: Dan Carpenter <dan.carpenter@oracle.com>
	3	Date: Mon, 21 Sep 2015 19:19:53 +0300
	4	Subject: mwifiex: fix mwifiex_rdeeprom_read()
	5
	6	From: Dan Carpenter <dan.carpenter@oracle.com>
	7
	8	commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream.
	9
	10	There were several bugs here.
	11
	12	1) The done label was in the wrong place so we didn't copy any
	13	information out when there was no command given.
	14
	15	2) We were using PAGE_SIZE as the size of the buffer instead of
	16	"PAGE_SIZE - pos".
	17
	18	3) snprintf() returns the number of characters that would have been
	19	printed if there were enough space. If there was not enough space
	20	(and we had fixed the memory corruption bug #2) then it would result
	21	in an information leak when we do simple_read_from_buffer(). I've
	22	changed it to use scnprintf() instead.
	23
	24	I also removed the initialization at the start of the function, because
	25	I thought it made the code a little more clear.
	26
	27	Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver')
	28	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	29	Acked-by: Amitkumar Karwar <akarwar@marvell.com>
	30	Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
	31	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	32
	33	---
	34	drivers/net/wireless/mwifiex/debugfs.c \| 14 +++++++-------
	35	1 file changed, 7 insertions(+), 7 deletions(-)
	36
	37	--- a/drivers/net/wireless/mwifiex/debugfs.c
	38	+++ b/drivers/net/wireless/mwifiex/debugfs.c
	39	@@ -637,7 +637,7 @@ mwifiex_rdeeprom_read(struct file *file,
	40	(struct mwifiex_private *) file->private_data;
	41	unsigned long addr = get_zeroed_page(GFP_KERNEL);
	42	char buf = (char ) addr;
	43	- int pos = 0, ret = 0, i;
	44	+ int pos, ret, i;
	45	u8 value[MAX_EEPROM_DATA];
	46
	47	if (!buf)
	48	@@ -645,7 +645,7 @@ mwifiex_rdeeprom_read(struct file *file,
	49
	50	if (saved_offset == -1) {
	51	/* No command has been given */
	52	- pos += snprintf(buf, PAGE_SIZE, "0");
	53	+ pos = snprintf(buf, PAGE_SIZE, "0");
	54	goto done;
	55	}
	56
	57	@@ -654,17 +654,17 @@ mwifiex_rdeeprom_read(struct file *file,
	58	(u16) saved_bytes, value);
	59	if (ret) {
	60	ret = -EINVAL;
	61	- goto done;
	62	+ goto out_free;
	63	}
	64
65	- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
66	+ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
67
68	for (i = 0; i < saved_bytes; i++)
69	- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]);
70	-
71	- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
72	+ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]);
73
74	done:
75	+ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
76	+out_free:
77	free_page(addr);
78	return ret;
79	}