diff options
author | Dan Carpenter <error27@gmail.com> | 2010-09-08 23:39:56 +0400 |
---|---|---|
committer | David Woodhouse <David.Woodhouse@intel.com> | 2010-10-25 02:52:49 +0400 |
commit | 5e59be1f351b0ca9c5a43c627e3ed676ae93a941 (patch) | |
tree | 57a69440a6ed3045253df626afe726cd21e47ab3 | |
parent | 0eecf4b20d63e0662d0a9732e9bd8a84bd3f872c (diff) | |
download | linux-5e59be1f351b0ca9c5a43c627e3ed676ae93a941.tar.xz |
mtd: sanity check ioctl input
If "ur_idx" is wrong we could go past the end of the array. The
"ur_idx" comes from root so it's not a huge deal, but adding a sanity
check makes the code more robust.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
-rw-r--r-- | drivers/mtd/mtdchar.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index 1d981a5c1b13..5895de7018d4 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -546,6 +546,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg) if (get_user(ur_idx, &(ur->regionindex))) return -EFAULT; + if (ur_idx >= mtd->numeraseregions) + return -EINVAL; + kr = &(mtd->eraseregions[ur_idx]); if (put_user(kr->offset, &(ur->offset)) |