From: Clemens Ladisch <clemens@ladisch.de>
Date: Wed, 7 Jul 2010 12:37:30 +0000 (+0200)
Subject: firewire: cdev: check write quadlet request length to avoid buffer overflow
X-Git-Tag: v2.6.36-rc1~490^2^3~19
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8e93f3dccc066cd6dd1e9db1e35942914fc57d1;p=pandora-kernel.git

firewire: cdev: check write quadlet request length to avoid buffer overflow

Check that the data length of a write quadlet request actually is large
enough for a quadlet.  Otherwise, fw_fill_request could access the four
bytes after the end of the outbound_transaction_event structure.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>

Modification of Clemens' change:  Consolidate the check into
init_request() which is used by the affected ioctl_send_request() and
ioctl_send_broadcast_request() and the unaffected
ioctl_send_stream_packet(), to save a few lines of code.

Note, since struct outbound_transaction_event *e is slab-allocated, such
an out-of-bounds access won't hit unallocated memory but may result in a
(virtually impossible to exploit) information disclosure.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
---

Reading git-diff-tree failed