mtd: sanity check ioctl input

If "ur_idx" is wrong we could go past the end of the array. The "ur_idx" comes from root so it's not a huge deal, but adding a sanity check makes the code more robust. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
author: Dan Carpenter <error27@gmail.com> 2010-09-08 21:39:56 +0200
committer: David Woodhouse <David.Woodhouse@intel.com> 2010-10-24 23:52:49 +0100
commit: 5e59be1f351b0ca9c5a43c627e3ed676ae93a941 (patch)
tree: 57a69440a6ed3045253df626afe726cd21e47ab3 /drivers/mtd/mtdchar.c
parent: 0eecf4b20d63e0662d0a9732e9bd8a84bd3f872c (diff)
download: linux-5e59be1f351b0ca9c5a43c627e3ed676ae93a941.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 1d981a5c1b13..5895de7018d4 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -546,6 +546,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
 		if (get_user(ur_idx, &(ur->regionindex)))
 			return -EFAULT;
 
+		if (ur_idx >= mtd->numeraseregions)
+			return -EINVAL;
+
 		kr = &(mtd->eraseregions[ur_idx]);
 
 		if (put_user(kr->offset, &(ur->offset))
author	Dan Carpenter <error27@gmail.com>	2010-09-08 21:39:56 +0200
committer	David Woodhouse <David.Woodhouse@intel.com>	2010-10-24 23:52:49 +0100
commit	5e59be1f351b0ca9c5a43c627e3ed676ae93a941 (patch)
tree	57a69440a6ed3045253df626afe726cd21e47ab3 /drivers/mtd/mtdchar.c
parent	0eecf4b20d63e0662d0a9732e9bd8a84bd3f872c (diff)
download	linux-5e59be1f351b0ca9c5a43c627e3ed676ae93a941.tar.gz