Commit 9638b67b authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

Staging: sep: potential buffer overflow in ioctl 



tail_size is determined by several variables that come from the user
so we should verify that it's not too large.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarAlan Cox <alan@linux.intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 23226977

drivers/staging/sep/sep_driver.c

+2 −0
Original line number Diff line number Diff line
@@ -2120,6 +2120,8 @@ static int sep_prepare_input_output_dma_table_in_dcb(struct sep_device *sep, 
			}

		}

		if (tail_size) {

			if (tail_size > sizeof(dcb_table_ptr->tail_data))

				return -EINVAL;

			if (is_kva == true) {

				memcpy(dcb_table_ptr->tail_data,

					(void *)(app_in_address + data_in_size -