linux/drivers/firewire
Clemens Ladisch a8e93f3dcc firewire: cdev: check write quadlet request length to avoid buffer overflow
Check that the data length of a write quadlet request actually is large
enough for a quadlet.  Otherwise, fw_fill_request could access the four
bytes after the end of the outbound_transaction_event structure.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>

Modification of Clemens' change:  Consolidate the check into
init_request() which is used by the affected ioctl_send_request() and
ioctl_send_broadcast_request() and the unaffected
ioctl_send_stream_packet(), to save a few lines of code.

Note, since struct outbound_transaction_event *e is slab-allocated, such
an out-of-bounds access won't hit unallocated memory but may result in a
(virtually impossible to exploit) information disclosure.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-07-13 09:47:47 +02:00
..
core-card.c firewire: cdev: fix fw_cdev_event_bus_reset.bm_node_id 2010-07-08 16:52:02 +02:00
core-cdev.c firewire: cdev: check write quadlet request length to avoid buffer overflow 2010-07-13 09:47:47 +02:00
core-device.c firewire: core: align driver match with modalias 2010-03-24 22:01:47 +01:00
core-iso.c firewire: core: fw_iso_resource_manage: fix error handling 2010-03-15 14:29:44 +01:00
core-topology.c firewire: cdev: fix fw_cdev_event_bus_reset.bm_node_id 2010-07-08 16:52:02 +02:00
core-transaction.c firewire: expose extended tcode of incoming lock requests to (userspace) drivers 2010-06-20 23:11:56 +02:00
core.h firewire: rename CSR access driver methods 2010-06-19 13:01:41 +02:00
Kconfig firewire, ieee1394: update Kconfig help 2009-12-29 19:58:17 +01:00
Makefile
net.c firewire: remove an unused function argument 2010-06-20 23:11:55 +02:00
ohci.c firewire: rename CSR access driver methods 2010-06-19 13:01:41 +02:00
ohci.h firewire: add CSR cmstr support 2010-06-10 08:36:37 +02:00
sbp2.c firewire: remove an unused function argument 2010-06-20 23:11:55 +02:00