Commit d929dc2b authored by Kulikov Vasiliy's avatar Kulikov Vasiliy Committed by Linus Torvalds
Browse files

i2o: fix overflow of copy_to_user()

If (len > reslen) we must not call copy_to_user() since kernel buffer is
smaller than we want to copy.  Similar code in this file is correct, so
this bug was a typo.
Signed-off-by: default avatarKulikov Vasiliy <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent 32fa4549
......@@ -115,7 +115,7 @@ static int i2o_cfg_gethrt(unsigned long arg)
put_user(len, kcmd.reslen);
if (len > reslen)
ret = -ENOBUFS;
if (copy_to_user(kcmd.resbuf, (void *)hrt, len))
else if (copy_to_user(kcmd.resbuf, (void *)hrt, len))
ret = -EFAULT;
return ret;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment