old buffer overflow in moxa driver (CVE-2005-0504)

[backport of 2.6 commit a2f72982e22b96862f8f15272732bd316d4db040] old buffer overflow in moxa driver I noticed that the moxa input checking security bug described by CVE-2005-0504 appears to remain unfixed upstream. The issue is described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504 Debian has been shipping the following patch from Andres Salomon. (akpm: it's a privileged operation) Signed-off-by: dann frazier <dannf@hp.com> Signed-off-by: Andres Salomon <dilinger@debian.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu>
author: dann frazier <dannf@hp.com> 2007-05-08 00:31:39 -0700
committer: Willy Tarreau <w@1wt.eu> 2008-07-20 18:25:44 +0200
commit: 4412f6d850fa4bb4aa3cec1c677c6e9faa3bf6a8 (patch)
tree: 50ce58ebe00eccd314958e51f533538247af6740
parent: 4766dfec36bb4d2f88edd2c7ec3b9d61b167e857 (diff)
download: linux-2.4-4412f6d850fa4bb4aa3cec1c677c6e9faa3bf6a8.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/char/moxa.c b/drivers/char/moxa.c
index 341b8e0a2e9827..b67e8d605353c5 100644
--- a/drivers/char/moxa.c
+++ b/drivers/char/moxa.c
@@ -1763,7 +1763,7 @@ int MoxaDriverIoctl(unsigned int cmd, unsigned long arg, int port)
 
 	if(copy_from_user(&dltmp, (void *)arg, sizeof(struct dl_str)))
 		return -EFAULT;
-	if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS)
+	if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0)
 		return -EINVAL;
 
 	switch(cmd)
@@ -2874,6 +2874,8 @@ static int moxaloadbios(int cardno, unsigned char *tmp, int len)
 	unsigned long baseAddr;
 	int i;
 
+	if(len < 0 || len > sizeof(moxaBuff))
+		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
 	baseAddr = moxaBaseAddr[cardno];
@@ -2921,7 +2923,7 @@ static int moxaload320b(int cardno, unsigned char * tmp, int len)
 	unsigned long baseAddr;
 	int i;
 
-	if(len > sizeof(moxaBuff))
+	if(len < 0 || len > sizeof(moxaBuff))
 		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
@@ -2941,6 +2943,8 @@ static int moxaloadcode(int cardno, unsigned char * tmp, int len)
 	unsigned long baseAddr, ofsAddr;
 	int retval, port, i;
 
+	if(len < 0 || len > sizeof(moxaBuff))
+		return -EINVAL;
 	if(copy_from_user(moxaBuff, tmp, len))
 		return -EFAULT;
 	baseAddr = moxaBaseAddr[cardno];
author	dann frazier <dannf@hp.com>	2007-05-08 00:31:39 -0700
committer	Willy Tarreau <w@1wt.eu>	2008-07-20 18:25:44 +0200
commit	4412f6d850fa4bb4aa3cec1c677c6e9faa3bf6a8 (patch)
tree	50ce58ebe00eccd314958e51f533538247af6740
parent	4766dfec36bb4d2f88edd2c7ec3b9d61b167e857 (diff)
download	linux-2.4-4412f6d850fa4bb4aa3cec1c677c6e9faa3bf6a8.tar.gz