From: Chen Gang Date: Mon, 21 Jan 2013 09:33:26 +0000 (+0800) Subject: staging: tidspbridge/pmgr: additional checking after return from strlen_user X-Git-Tag: firefly_0821_release~3680^2~1080^2~357 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ec7e0aef31e2eece787f7c49df1f031f2a983265;p=firefly-linux-kernel-4.4.55.git staging: tidspbridge/pmgr: additional checking after return from strlen_user strlen_user will return the length including final NUL. and will return 0 if failed (for example: if user string not NUL terminated) so need check whether it is an invalid parameter. addtional info: can reference the comments of strlen_user in lib/strnlen_user.c Signed-off-by: Chen Gang Cc: Omar Ramirez Luna Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/tidspbridge/pmgr/dspapi.c b/drivers/staging/tidspbridge/pmgr/dspapi.c index 9ef1ad9527af..5a18a9417ac2 100644 --- a/drivers/staging/tidspbridge/pmgr/dspapi.c +++ b/drivers/staging/tidspbridge/pmgr/dspapi.c @@ -414,10 +414,13 @@ u32 mgrwrap_register_object(union trapped_args *args, void *pr_ctxt) CP_FM_USR(&uuid_obj, args->args_mgr_registerobject.uuid_obj, status, 1); if (status) goto func_end; - /* path_size is increased by 1 to accommodate NULL */ path_size = strlen_user((char *) - args->args_mgr_registerobject.sz_path_name) + - 1; + args->args_mgr_registerobject.sz_path_name); + if (!path_size) { + status = -EINVAL; + goto func_end; + } + psz_path_name = kmalloc(path_size, GFP_KERNEL); if (!psz_path_name) { status = -ENOMEM;