2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-28 15:13:55 +08:00
linux-next/drivers/net/hamradio
Wenwen Wang 0781168e23 yam: fix a missing-check bug
In yam_ioctl(), the concrete ioctl command is firstly copied from the
user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
following switch statement. If the command is not as expected, an error
code EINVAL is returned. In the following execution the buffer
'ifr->ifr_data' is copied again in the cases of the switch statement to
specific data structures according to what kind of ioctl command is
requested. However, after the second copy, no re-check is enforced on the
newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
space, a malicious user can race to change the command between the two
copies. This way, the attacker can inject inconsistent data and cause
undefined behavior.

This patch adds a re-check in each case of the switch statement if there is
a second copy in that case, to re-check whether the command obtained in the
second copy is the same as the one in the first copy. If not, an error code
EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-05 11:54:55 -07:00
..
6pack.c net/hamradio/6pack: remove redundant variable channel 2018-07-05 19:34:45 +09:00
baycom_epp.c hamradio: baycom: use new parport device model 2017-09-18 16:40:25 -07:00
baycom_par.c hamradio: baycom_par: use new parport device model 2017-10-16 21:16:23 +01:00
baycom_ser_fdx.c hamradio: baycom: make hdlcdrv_ops const 2017-08-07 14:26:46 -07:00
baycom_ser_hdx.c hamradio: baycom: make hdlcdrv_ops const 2017-08-07 14:26:46 -07:00
bpqether.c net: hamradio: use eth_broadcast_addr 2018-06-20 07:51:43 +09:00
dmascc.c hamradio: dmascc: avoid -Wformat-overflow warning 2017-07-26 09:32:44 -07:00
hdlcdrv.c hdlcdrv: Fix divide by zero in hdlcdrv_ioctl 2017-05-27 18:44:17 -04:00
Kconfig
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mkiss.c mkiss: remove redundant check for len > 0 2018-04-25 14:12:06 -04:00
scc.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
yam.c yam: fix a missing-check bug 2018-10-05 11:54:55 -07:00
z8530.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00