[PATCH 6.1 185/236] firewire: nosy: ensure user_length is taken into account when fetching packet contents

6.1-stable review patch. If anyone has any objections, please let me know.

------------------

From: Thanassis Avgerinos thanassis.avgerinos@gmail.com

commit 38762a0763c10c24a4915feee722d7aa6e73eb98 upstream.

Ensure that packet_buffer_get respects the user_length provided. If the length of the head packet exceeds the user_length, packet_buffer_get will now return 0 to signify to the user that no data were read and a larger buffer size is required. Helps prevent user space overflows.

Signed-off-by: Thanassis Avgerinos thanassis.avgerinos@gmail.com Signed-off-by: Takashi Sakamoto o-takashi@sakamocchi.jp Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/firewire/nosy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/firewire/nosy.c +++ b/drivers/firewire/nosy.c @@ -148,10 +148,12 @@ packet_buffer_get(struct client *client, if (atomic_read(&buffer->size) == 0) return -ENODEV;

- /* FIXME: Check length <= user_length. */ + length = buffer->head->length; + + if (length > user_length) + return 0;

end = buffer->data + buffer->capacity; - length = buffer->head->length;

if (&buffer->head->data[length] < end) { if (copy_to_user(data, buffer->head->data, length))