git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From 38762a0763c10c24a4915feee722d7aa6e73eb98 Mon Sep 17 00:00:00 2001
   2 From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
   3 Date: Wed, 17 Apr 2024 11:30:02 -0400
   4 Subject: firewire: nosy: ensure user_length is taken into account when fetching packet contents
   5
   6 From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
   7
   8 commit 38762a0763c10c24a4915feee722d7aa6e73eb98 upstream.
   9
  10 Ensure that packet_buffer_get respects the user_length provided. If
  11 the length of the head packet exceeds the user_length, packet_buffer_get
  12 will now return 0 to signify to the user that no data were read
  13 and a larger buffer size is required. Helps prevent user space overflows.
  14
  15 Signed-off-by: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
  16 Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
  17 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18 ---
  19  drivers/firewire/nosy.c |    6 ++++--
  20  1 file changed, 4 insertions(+), 2 deletions(-)
  21
  22 --- a/drivers/firewire/nosy.c
  23 +++ b/drivers/firewire/nosy.c
  24 @@ -161,10 +161,12 @@ packet_buffer_get(struct client *client,
  25         if (atomic_read(&buffer->size) == 0)
  26                 return -ENODEV;
  27
  28 -       /* FIXME: Check length <= user_length. */
  29 +       length = buffer->head->length;
  30 +
  31 +       if (length > user_length)
  32 +               return 0;
  33
  34         end = buffer->data + buffer->capacity;
  35 -       length = buffer->head->length;
  36
  37         if (&buffer->head->data[length] < end) {
  38                 if (copy_to_user(data, buffer->head->data, length))