Fix "buffer overflow in mt3326_gps_write() of Mediatek driver" issue

Problem: lack of boundary check of user input parameter before copy_from_user. Solution: Add boundary protection to prevent buffer overflow Bug num:28174914 Change-Id: Ieb439cba0ed9c9304b14a319515472eb09dc17dd Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com>
author: yang-cy.chen <yang-cy.chen@mediatek.com> 2016-05-05 16:04:25 +0800
committer: Moyster <oysterized@gmail.com> 2016-08-26 16:02:14 +0200
commit: 2ba773c9c6498be7623d3de43f825aef48dd619d (patch)
tree: 77f34f49e44ab192e02e127bdb3cb02d35d0207f
parent: 88d70e960decc88e9d310a95e8ab7db7ca690f67 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/misc/mediatek/gps/gps.c b/drivers/misc/mediatek/gps/gps.c
index 3d9fa6eb6..8ef7ff8c2 100644
--- a/drivers/misc/mediatek/gps/gps.c
+++ b/drivers/misc/mediatek/gps/gps.c
@@ -805,6 +805,7 @@ static ssize_t mt3326_gps_write(struct file *file, const char __user *buf, size_
 {
 	struct gps_data *dev = file->private_data;
 	ssize_t ret = 0;
+	size_t copy_size = 0;
 
 	GPS_TRC();
 
@@ -820,7 +821,8 @@ static ssize_t mt3326_gps_write(struct file *file, const char __user *buf, size_
 	if (down_interruptible(&dev->sem))
 		return -ERESTARTSYS;
 
-	if (copy_from_user(dev->dat_buf, buf, count)) {
+	copy_size = min(count, sizeof(dev->dat_buf));
+	if (copy_from_user(dev->dat_buf, buf, copy_size)) {
 		GPS_DBG("copy_from_user error");
 		ret = -EFAULT;
 	} else {
author	yang-cy.chen <yang-cy.chen@mediatek.com>	2016-05-05 16:04:25 +0800
committer	Moyster <oysterized@gmail.com>	2016-08-26 16:02:14 +0200
commit	2ba773c9c6498be7623d3de43f825aef48dd619d (patch)
tree	77f34f49e44ab192e02e127bdb3cb02d35d0207f
parent	88d70e960decc88e9d310a95e8ab7db7ca690f67 (diff)