old buffer overflow in moxa driver
I noticed that the moxa input checking security bug described by CVE-2005-0504 appears to remain unfixed upstream. The issue is described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504 Debian has been shipping the following patch from Andres Salomon. (akpm: it's a privileged operation) Signed-off-by: dann frazier <dannf@hp.com> Signed-off-by: Andres Salomon <dilinger@debian.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
83ae1b79c8
commit
a2f72982e2
1 changed files with 6 additions and 2 deletions
|
@ -1582,7 +1582,7 @@ int MoxaDriverIoctl(unsigned int cmd, unsigned long arg, int port)
|
|||
|
||||
if(copy_from_user(&dltmp, argp, sizeof(struct dl_str)))
|
||||
return -EFAULT;
|
||||
if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS)
|
||||
if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0)
|
||||
return -EINVAL;
|
||||
|
||||
switch(cmd)
|
||||
|
@ -2529,6 +2529,8 @@ static int moxaloadbios(int cardno, unsigned char __user *tmp, int len)
|
|||
void __iomem *baseAddr;
|
||||
int i;
|
||||
|
||||
if(len < 0 || len > sizeof(moxaBuff))
|
||||
return -EINVAL;
|
||||
if(copy_from_user(moxaBuff, tmp, len))
|
||||
return -EFAULT;
|
||||
baseAddr = moxa_boards[cardno].basemem;
|
||||
|
@ -2576,7 +2578,7 @@ static int moxaload320b(int cardno, unsigned char __user *tmp, int len)
|
|||
void __iomem *baseAddr;
|
||||
int i;
|
||||
|
||||
if(len > sizeof(moxaBuff))
|
||||
if(len < 0 || len > sizeof(moxaBuff))
|
||||
return -EINVAL;
|
||||
if(copy_from_user(moxaBuff, tmp, len))
|
||||
return -EFAULT;
|
||||
|
@ -2596,6 +2598,8 @@ static int moxaloadcode(int cardno, unsigned char __user *tmp, int len)
|
|||
void __iomem *baseAddr, *ofsAddr;
|
||||
int retval, port, i;
|
||||
|
||||
if(len < 0 || len > sizeof(moxaBuff))
|
||||
return -EINVAL;
|
||||
if(copy_from_user(moxaBuff, tmp, len))
|
||||
return -EFAULT;
|
||||
baseAddr = moxa_boards[cardno].basemem;
|
||||
|
|
Loading…
Reference in a new issue