mirror of
https://github.com/torvalds/linux.git
synced 2024-11-10 22:21:40 +00:00
a8e93f3dcc
Check that the data length of a write quadlet request actually is large enough for a quadlet. Otherwise, fw_fill_request could access the four bytes after the end of the outbound_transaction_event structure. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Modification of Clemens' change: Consolidate the check into init_request() which is used by the affected ioctl_send_request() and ioctl_send_broadcast_request() and the unaffected ioctl_send_stream_packet(), to save a few lines of code. Note, since struct outbound_transaction_event *e is slab-allocated, such an out-of-bounds access won't hit unallocated memory but may result in a (virtually impossible to exploit) information disclosure. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> |
||
|---|---|---|
| .. | ||
| core-card.c | ||
| core-cdev.c | ||
| core-device.c | ||
| core-iso.c | ||
| core-topology.c | ||
| core-transaction.c | ||
| core.h | ||
| Kconfig | ||
| Makefile | ||
| net.c | ||
| ohci.c | ||
| ohci.h | ||
| sbp2.c | ||