firewire: check cdev response length Add a check that the data length in the SEND_RESPONSE ioctl is correct. Incidentally, this also fixes the previously wrong response length of software-handled lock requests. Signed-off-by: Clemens Ladisch <[email protected]> Signed-off-by: Stefan Richter <[email protected]>

commit: a10c0ce76098857b899505d05de9f2e13ddf7a7a [log] [tgz]
author: Clemens Ladisch <[email protected]> Wed May 19 08:28:32 2010 +0200
committer: Stefan Richter <[email protected]> Wed Jun 09 19:42:18 2010 +0200
tree: 130592c6baaff2e38dd813448337dded1ee1645b
parent: 262444eecce40950af19ea4d75a3dc03b3c07283 [diff] [blame]
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9d1a1a1..50332b8 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c

@@ -756,9 +756,12 @@
 	if (is_fcp_request(r->request))
 		goto out;
 
-	if (a->length < r->length)
-		r->length = a->length;
-	if (copy_from_user(r->data, u64_to_uptr(a->data), r->length)) {
+	if (a->length != fw_get_response_length(r->request)) {
+		ret = -EINVAL;
+		kfree(r->request);
+		goto out;
+	}
+	if (copy_from_user(r->data, u64_to_uptr(a->data), a->length)) {
 		ret = -EFAULT;
 		kfree(r->request);
 		goto out;
commit	a10c0ce76098857b899505d05de9f2e13ddf7a7a	[log] [tgz]
author	Clemens Ladisch <[email protected]>	Wed May 19 08:28:32 2010 +0200
committer	Stefan Richter <[email protected]>	Wed Jun 09 19:42:18 2010 +0200
tree	130592c6baaff2e38dd813448337dded1ee1645b
parent	262444eecce40950af19ea4d75a3dc03b3c07283 [diff] [blame]