Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION

This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is
responsible for sending the driver version
to userspace. However, the requested size stored
in IoBuffer.OutputLength may be incorrect.
Therefore, we altered the code to send the
exact length of the version, plus one for the
null character.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index c4d7a6194180e5e0a5e3c8bfb136326c3851d767..fa4a854ba054b9e46ba92101a2bd3c3812dd2b5d 100644 (file)
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -999,11 +999,15 @@ cntrlEnd:
        }
 
        case IOCTL_BCM_GET_DRIVER_VERSION: {
+               ulong len;
+
                /* Copy Ioctl Buffer structure */
                if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
                        return -EFAULT;
 
-               if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
+               len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
+
+               if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len))
                        return -EFAULT;
                Status = STATUS_SUCCESS;
                break;