From b72a7c859efc9e0cf13600b30a555457a08dd86f Mon Sep 17 00:00:00 2001
From: Kevin McKinney <klmckinney1@gmail.com>
Date: Wed, 14 Dec 2011 22:44:33 -0500
Subject: Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION

This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is
responsible for sending the driver version
to userspace. However, the requested size stored
in IoBuffer.OutputLength may be incorrect.
Therefore, we altered the code to send the
exact length of the version, plus one for the
null character.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/staging/bcm/Bcmchar.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index c4d7a619418..fa4a854ba05 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -999,11 +999,15 @@ cntrlEnd:
 	}
 
 	case IOCTL_BCM_GET_DRIVER_VERSION: {
+		ulong len;
+
 		/* Copy Ioctl Buffer structure */
 		if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
 			return -EFAULT;
 
-		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
+		len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
+
+		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len))
 			return -EFAULT;
 		Status = STATUS_SUCCESS;
 		break;
-- 
cgit v1.2.3-18-g5258