staging: r8188eu: get a string from the user correctly

The original code had two bugs:
1) It didn't check if the string was zero length so it could oops when
   it tried to dereference the ZERO_SIZE_PTR.
2) It didn't enforce that the string was NUL terminated.

It was also messy as pants.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Dan Carpenter 2014-10-31 13:40:39 +03:00 committed by Greg Kroah-Hartman
parent f8e4df53c7
commit d0915b2255

View File

@ -162,22 +162,12 @@ int rtw_android_priv_cmd(struct net_device *net, struct ifreq *ifr, int cmd)
ret = -EFAULT; ret = -EFAULT;
goto exit; goto exit;
} }
command = kmalloc(priv_cmd.total_len, GFP_KERNEL); if (priv_cmd.total_len < 1)
if (!command) { return -EINVAL;
DBG_88E("%s: failed to allocate memory\n", __func__); command = memdup_user(priv_cmd.buf, priv_cmd.total_len);
ret = -ENOMEM; if (IS_ERR(command))
goto exit; return PTR_ERR(command);
} command[priv_cmd.total_len - 1] = 0;
if (!access_ok(VERIFY_READ, priv_cmd.buf, priv_cmd.total_len)) {
DBG_88E("%s: failed to access memory\n", __func__);
ret = -EFAULT;
goto exit;
}
if (copy_from_user(command, (char __user *)priv_cmd.buf,
priv_cmd.total_len)) {
ret = -EFAULT;
goto exit;
}
DBG_88E("%s: Android private cmd \"%s\" on %s\n", DBG_88E("%s: Android private cmd \"%s\" on %s\n",
__func__, command, ifr->ifr_name); __func__, command, ifr->ifr_name);
cmd_num = rtw_android_cmdstr_to_num(command); cmd_num = rtw_android_cmdstr_to_num(command);