The caller could have a small buf passed (less then < blen).
Since, the length of count and blen is not checked, it can
write beyond the end of buf.
Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb
Signed-off-by: Rashi Bindra <rbindra@codeaurora.org>
-/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
if (blen < 0)
return 0;
- if (copy_to_user(buf, buffer, blen))
+ if (copy_to_user(buf, buffer, min(count, (size_t)blen+1)))
return -EFAULT;
*ppos += blen;