staging/bcm: two information leaks in ioctl

There are a couple paths where we don't check how much data we copy back
to the user.

Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index fdebc3b..6f1997d 100644 (file)
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -590,6 +590,8 @@ static int bcm_char_ioctl_gpio_multi_request(void __user *argp, struct bcm_mini_
 
        if (IoBuffer.InputLength > sizeof(gpio_multi_info))
                return -EINVAL;
+       if (IoBuffer.OutputLength > sizeof(gpio_multi_info))
+               IoBuffer.OutputLength = sizeof(gpio_multi_info);
 
        if (copy_from_user(&gpio_multi_info, IoBuffer.InputBuffer, IoBuffer.InputLength))
                return -EFAULT;
@@ -680,6 +682,8 @@ static int bcm_char_ioctl_gpio_mode_request(void __user *argp, struct bcm_mini_a
 
        if (IoBuffer.InputLength > sizeof(gpio_multi_mode))
                return -EINVAL;
+       if (IoBuffer.OutputLength > sizeof(gpio_multi_mode))
+               IoBuffer.OutputLength = sizeof(gpio_multi_mode);
 
        if (copy_from_user(&gpio_multi_mode, IoBuffer.InputBuffer, IoBuffer.InputLength))
                return -EFAULT;