Aren/haiku
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

h2generic: Copy the user buffer before using it.

Browse Source
This commit is contained in:
Augustin Cavalier 2018-11-18 14:50:53 -05:00
parent 2897df9676
commit 400ed5ca50
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.cpp
View File

@ -591,7 +591,7 @@ device_free(void* cookie)
// implements the POSIX ioctl() // implements the POSIX ioctl()
static status_t static status_t
device_control(void* cookie, uint32 msg, void* params, size_t size) device_control(void* cookie, uint32 msg, void* _params, size_t size)
{ {
status_t err = B_ERROR; status_t err = B_ERROR;
bt_usb_dev* bdev = (bt_usb_dev*)cookie; bt_usb_dev* bdev = (bt_usb_dev*)cookie;
@ -609,11 +609,15 @@ device_control(void* cookie, uint32 msg, void* params, size_t size)
return B_BAD_VALUE; return B_BAD_VALUE;
} }
if (params == NULL) { if (_params == NULL || !IS_USER_ADDRESS(_params)) {
TRACE("%s: Invalid pointer control\n", __func__); TRACE("%s: Invalid pointer control\n", __func__);
return B_BAD_VALUE; return B_BAD_VALUE;
} }
void* params = alloca(size);
if (user_memcpy(params, _params, size) != B_OK)
return B_BAD_ADDRESS;
acquire_sem(bdev->lock); acquire_sem(bdev->lock);
switch (msg) { switch (msg) {
@ -634,7 +638,6 @@ device_control(void* cookie, uint32 msg, void* params, size_t size)
break; break;
case BT_UP: case BT_UP:
// EVENTS // EVENTS
err = submit_rx_event(bdev); err = submit_rx_event(bdev);
if (err != B_OK) { if (err != B_OK) {