git.maemo.org Git - kernel-bfs/blob - kernel-bfs-2.6.28/debian/patches/dspbridge_ioctl_buffer_overrun.diff

   1 ---
   2  drivers/dsp/bridge/pmgr/wcd.c |   12 ++++++++++--
   3  1 files changed, 10 insertions(+), 2 deletions(-)
   4
   5 Index: kernel-power-2.6.28/drivers/dsp/bridge/pmgr/wcd.c
   6 ===================================================================
   7 --- kernel-power-2.6.28.orig/drivers/dsp/bridge/pmgr/wcd.c
   8 +++ kernel-power-2.6.28/drivers/dsp/bridge/pmgr/wcd.c
   9 @@ -242,21 +242,29 @@
  10                                     u32 *result, void *pr_ctxt)
  11  {
  12         u32 (*ioctl_cmd)(union Trapped_Args *args, void *pr_ctxt) = NULL;
  13 -       int i;
  14 +       u32 i;
  15
  16         if (_IOC_TYPE(cmd) != DB) {
  17                 pr_err("%s: Incompatible dspbridge ioctl number\n", __func__);
  18                 goto err;
  19         }
  20 -
  21 +#ifdef CONFIG_BRIDGE_NEW_API
  22         if (DB_GET_IOC_TABLE(cmd) > ARRAY_SIZE(size_cmd)) {
  23 +#else
  24 +       if (DB_GET_IOC_TABLE(cmd) >= ARRAY_SIZE(size_cmd)) {
  25 +#endif
  26                 pr_err("%s: undefined ioctl module\n", __func__);
  27                 goto err;
  28         }
  29
  30         /* Check the size of the required cmd table */
  31         i = DB_GET_IOC(cmd);
  32 +#ifdef CONFIG_BRIDGE_NEW_API
  33         if (i > size_cmd[DB_GET_IOC_TABLE(cmd)]) {
  34 +#else
  35 +       if (i >= size_cmd[DB_GET_IOC_TABLE(cmd)]) {
  36 +#endif
  37 +
  38                 pr_err("%s: requested ioctl %d out of bounds for table %d\n",
  39                                         __func__, i, DB_GET_IOC_TABLE(cmd));
  40                 goto err;