summaryrefslogtreecommitdiff
path: root/include/linux/firewire-cdev.h
diff options
context:
space:
mode:
authorStefan Richter <stefanr@s5r6.in-berlin.de>2010-04-07 10:30:50 +0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2010-04-10 18:51:13 +0400
commit9cac00b8f0079d5d3d54ec4dae453d58dec30e7c (patch)
tree902b5f22c553395e5bab8c7561b996f19584e7f6 /include/linux/firewire-cdev.h
parent385ab5bcd4be586dffdba550b310308d89eade71 (diff)
downloadlinux-9cac00b8f0079d5d3d54ec4dae453d58dec30e7c.tar.xz
firewire: cdev: fix information leak
A userspace client got to see uninitialized stack-allocated memory if it specified an _IOC_READ type of ioctl and an argument size larger than expected by firewire-core's ioctl handlers (but not larger than the core's union ioctl_arg). Fix this by clearing the requested buffer size to zero, but only at _IOR ioctls. This way, there is almost no runtime penalty to legitimate ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12 or 16 bytes to memset. [Another way to fix this would be strict checking of argument size (and possibly direction) vs. command number. However, we then need a lookup table, and we need to allow for slight size deviations in case of 32bit userland on 64bit kernel.] Reported-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'include/linux/firewire-cdev.h')
0 files changed, 0 insertions, 0 deletions