diff options
author | Nate Case <ncase@xes-inc.com> | 2008-05-12 16:14:14 -0400 |
---|---|---|
committer | Paul Mackerras <paulus@samba.org> | 2008-05-15 06:49:52 -0400 |
commit | 9c8387afdc93f90bf0241411d44e011d8d5b76df (patch) | |
tree | 97611f22b5a627f5d6067aae0bff6c32247fb577 | |
parent | 64e4566f6d590fbb284da061b9b664c2486dd2de (diff) |
[POWERPC] Fix uninitialized variable bug in copy_{to|from}_user
Calls to copy_to_user() or copy_from_user() can fail when copying N
bytes, where N is a constant less than 8, but not 1, 2, 4, or 8,
because 'ret' is not initialized and is only set if the size is 1,
2, 4 or 8, but is tested after the switch statement for any constant
size <= 8. This fixes it by initializing 'ret' to 1, causing the
code to fall through to the __copy_tofrom_user call for sizes other
than 1, 2, 4 or 8.
Signed-off-by: Dave Scidmore <dscidmore@xes-inc.com>
Signed-off-by: Nate Case <ncase@xes-inc.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
-rw-r--r-- | include/asm-powerpc/uaccess.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/include/asm-powerpc/uaccess.h b/include/asm-powerpc/uaccess.h index 8e798e3758bc..1a0736f8803f 100644 --- a/include/asm-powerpc/uaccess.h +++ b/include/asm-powerpc/uaccess.h | |||
@@ -380,7 +380,7 @@ static inline unsigned long __copy_from_user_inatomic(void *to, | |||
380 | const void __user *from, unsigned long n) | 380 | const void __user *from, unsigned long n) |
381 | { | 381 | { |
382 | if (__builtin_constant_p(n) && (n <= 8)) { | 382 | if (__builtin_constant_p(n) && (n <= 8)) { |
383 | unsigned long ret; | 383 | unsigned long ret = 1; |
384 | 384 | ||
385 | switch (n) { | 385 | switch (n) { |
386 | case 1: | 386 | case 1: |
@@ -406,7 +406,7 @@ static inline unsigned long __copy_to_user_inatomic(void __user *to, | |||
406 | const void *from, unsigned long n) | 406 | const void *from, unsigned long n) |
407 | { | 407 | { |
408 | if (__builtin_constant_p(n) && (n <= 8)) { | 408 | if (__builtin_constant_p(n) && (n <= 8)) { |
409 | unsigned long ret; | 409 | unsigned long ret = 1; |
410 | 410 | ||
411 | switch (n) { | 411 | switch (n) { |
412 | case 1: | 412 | case 1: |