From: Domen Puncer <domen@coderock.org>

A few lines above the patch we have:

	char *srec;
	srec = kmalloc(SCIOC_SRECSIZE, GFP_KERNEL);

sizeof pointer is probably not meant here.

Signed-off-by: Domen Puncer <domen@coderock.org>
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 drivers/isdn/sc/ioctl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff -puN drivers/isdn/sc/ioctl.c~drivers-isdn-sc-ioctlc-copy_from_user-size-fix drivers/isdn/sc/ioctl.c
--- devel/drivers/isdn/sc/ioctl.c~drivers-isdn-sc-ioctlc-copy_from_user-size-fix	2006-01-22 02:55:45.000000000 -0800
+++ devel-akpm/drivers/isdn/sc/ioctl.c	2006-01-22 02:55:45.000000000 -0800
@@ -71,14 +71,14 @@ int sc_ioctl(int card, scs_ioctl *data)
 		/*
 		 * Get the SRec from user space
 		 */
-		if (copy_from_user(srec, data->dataptr, sizeof(srec))) {
+		if (copy_from_user(srec, data->dataptr, SCIOC_SRECSIZE)) {
 			kfree(rcvmsg);
 			kfree(srec);
 			return -EFAULT;
 		}
 
 		status = send_and_receive(card, CMPID, cmReqType2, cmReqClass0, cmReqLoadProc,
-				0, sizeof(srec), srec, rcvmsg, SAR_TIMEOUT);
+				0, SCIOC_SRECSIZE, srec, rcvmsg, SAR_TIMEOUT);
 		kfree(rcvmsg);
 		kfree(srec);
 
_