summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <error27@gmail.com>2010-09-08 23:39:56 +0400
committerDavid Woodhouse <David.Woodhouse@intel.com>2010-10-25 02:52:49 +0400
commit5e59be1f351b0ca9c5a43c627e3ed676ae93a941 (patch)
tree57a69440a6ed3045253df626afe726cd21e47ab3
parent0eecf4b20d63e0662d0a9732e9bd8a84bd3f872c (diff)
downloadlinux-5e59be1f351b0ca9c5a43c627e3ed676ae93a941.tar.xz
mtd: sanity check ioctl input
If "ur_idx" is wrong we could go past the end of the array. The "ur_idx" comes from root so it's not a huge deal, but adding a sanity check makes the code more robust. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
-rw-r--r--drivers/mtd/mtdchar.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 1d981a5c1b13..5895de7018d4 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -546,6 +546,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
if (get_user(ur_idx, &(ur->regionindex)))
return -EFAULT;
+ if (ur_idx >= mtd->numeraseregions)
+ return -EINVAL;
+
kr = &(mtd->eraseregions[ur_idx]);
if (put_user(kr->offset, &(ur->offset))