From: Dann Frazier <dannf@hp.com>
Date: Sat, 6 Oct 2007 21:51:05 +0000 (+0200)
Subject: fix buffer overflow in the moxa driver (CVE-2005-0504)
X-Git-Tag: v2.6.16.55-rc1~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de9e88d512afbad9f7a5d73b28dbcc332894b81a;p=thirdparty%2Fkernel%2Fstable.git

fix buffer overflow in the moxa driver (CVE-2005-0504)

Signed-off-by: Dann Frazier <dannf@hp.com>
Signed-off-by: Andres Salomon <dilinger@debian.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
---

diff --git a/drivers/char/moxa.c b/drivers/char/moxa.c
index f43c2e04eadd3..f9815bf418d3a 100644
--- a/drivers/char/moxa.c
+++ b/drivers/char/moxa.c
@@ -1656,7 +1656,7 @@ int MoxaDriverIoctl(unsigned int cmd, unsigned long arg, int port)
 
 	if(copy_from_user(&dltmp, argp, sizeof(struct dl_str)))
 		return -EFAULT;
-	if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS)
+	if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0)
 		return -EINVAL;
 
 	switch(cmd)
@@ -2764,6 +2764,8 @@ static int moxaloadbios(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr;
 	int i;
 
+	if(len < 0 || len > sizeof(moxaBuff))
+		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
 	baseAddr = moxaBaseAddr[cardno];
@@ -2811,7 +2813,7 @@ static int moxaload320b(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr;
 	int i;
 
-	if(len > sizeof(moxaBuff))
+	if(len < 0 || len > sizeof(moxaBuff))
 		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
@@ -2831,6 +2833,8 @@ static int moxaloadcode(int cardno, unsigned char __user *tmp, int len)
 	void __iomem *baseAddr, *ofsAddr;
 	int retval, port, i;
 
+	if(len < 0 || len > sizeof(moxaBuff))
+		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
 	baseAddr = moxaBaseAddr[cardno];