From 400ed5ca507ae709028cc8c1f9cc17059485a12c Mon Sep 17 00:00:00 2001
From: Augustin Cavalier <waddlesplash@gmail.com>
Date: Sun, 18 Nov 2018 14:50:53 -0500
Subject: [PATCH] h2generic: Copy the user buffer before using it.

---
 .../kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp  | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
index f5d3e4b09a..13985d3024 100644
--- a/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
+++ b/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
@@ -591,7 +591,7 @@ device_free(void* cookie)
 
 // implements the POSIX ioctl()
 static status_t
-device_control(void* cookie, uint32 msg, void* params, size_t size)
+device_control(void* cookie, uint32 msg, void* _params, size_t size)
 {
 	status_t 	err = B_ERROR;
 	bt_usb_dev*	bdev = (bt_usb_dev*)cookie;
@@ -609,11 +609,15 @@ device_control(void* cookie, uint32 msg, void* params, size_t size)
 		return B_BAD_VALUE;
 	}
 
-	if (params == NULL) {
+	if (_params == NULL || !IS_USER_ADDRESS(_params)) {
 		TRACE("%s: Invalid pointer control\n", __func__);
 		return B_BAD_VALUE;
 	}
 
+	void* params = alloca(size);
+	if (user_memcpy(params, _params, size) != B_OK)
+		return B_BAD_ADDRESS;
+
 	acquire_sem(bdev->lock);
 
 	switch (msg) {
@@ -634,7 +638,6 @@ device_control(void* cookie, uint32 msg, void* params, size_t size)
 		break;
 
 		case BT_UP:
-
 			//  EVENTS
 			err = submit_rx_event(bdev);
 			if (err != B_OK) {