diff options
| author | Jiri Kosina <jkosina@suse.cz> | 2010-04-22 20:08:44 -0400 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2010-04-22 20:08:44 -0400 |
| commit | 6c9468e9eb1252eaefd94ce7f06e1be9b0b641b1 (patch) | |
| tree | 797676a336b050bfa1ef879377c07e541b9075d6 /drivers/firewire/core-cdev.c | |
| parent | 4cb3ca7cd7e2cae8d1daf5345ec99a1e8502cf3f (diff) | |
| parent | c81eddb0e3728661d1585fbc564449c94165cc36 (diff) | |
Merge branch 'master' into for-next
Diffstat (limited to 'drivers/firewire/core-cdev.c')
| -rw-r--r-- | drivers/firewire/core-cdev.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index 8be720b278b7..14a34d99eea2 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c | |||
| @@ -34,6 +34,7 @@ | |||
| 34 | #include <linux/mutex.h> | 34 | #include <linux/mutex.h> |
| 35 | #include <linux/poll.h> | 35 | #include <linux/poll.h> |
| 36 | #include <linux/sched.h> | 36 | #include <linux/sched.h> |
| 37 | #include <linux/slab.h> | ||
| 37 | #include <linux/spinlock.h> | 38 | #include <linux/spinlock.h> |
| 38 | #include <linux/string.h> | 39 | #include <linux/string.h> |
| 39 | #include <linux/time.h> | 40 | #include <linux/time.h> |
| @@ -959,6 +960,8 @@ static int ioctl_queue_iso(struct client *client, union ioctl_arg *arg) | |||
| 959 | u.packet.header_length = GET_HEADER_LENGTH(control); | 960 | u.packet.header_length = GET_HEADER_LENGTH(control); |
| 960 | 961 | ||
| 961 | if (ctx->type == FW_ISO_CONTEXT_TRANSMIT) { | 962 | if (ctx->type == FW_ISO_CONTEXT_TRANSMIT) { |
| 963 | if (u.packet.header_length % 4 != 0) | ||
| 964 | return -EINVAL; | ||
| 962 | header_length = u.packet.header_length; | 965 | header_length = u.packet.header_length; |
| 963 | } else { | 966 | } else { |
| 964 | /* | 967 | /* |
| @@ -968,7 +971,8 @@ static int ioctl_queue_iso(struct client *client, union ioctl_arg *arg) | |||
| 968 | if (ctx->header_size == 0) { | 971 | if (ctx->header_size == 0) { |
| 969 | if (u.packet.header_length > 0) | 972 | if (u.packet.header_length > 0) |
| 970 | return -EINVAL; | 973 | return -EINVAL; |
| 971 | } else if (u.packet.header_length % ctx->header_size != 0) { | 974 | } else if (u.packet.header_length == 0 || |
| 975 | u.packet.header_length % ctx->header_size != 0) { | ||
| 972 | return -EINVAL; | 976 | return -EINVAL; |
| 973 | } | 977 | } |
| 974 | header_length = 0; | 978 | header_length = 0; |
| @@ -1353,24 +1357,24 @@ static int dispatch_ioctl(struct client *client, | |||
| 1353 | return -ENODEV; | 1357 | return -ENODEV; |
| 1354 | 1358 | ||
| 1355 | if (_IOC_TYPE(cmd) != '#' || | 1359 | if (_IOC_TYPE(cmd) != '#' || |
| 1356 | _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers)) | 1360 | _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers) || |
| 1361 | _IOC_SIZE(cmd) > sizeof(buffer)) | ||
| 1357 | return -EINVAL; | 1362 | return -EINVAL; |
| 1358 | 1363 | ||
| 1359 | if (_IOC_DIR(cmd) & _IOC_WRITE) { | 1364 | if (_IOC_DIR(cmd) == _IOC_READ) |
| 1360 | if (_IOC_SIZE(cmd) > sizeof(buffer) || | 1365 | memset(&buffer, 0, _IOC_SIZE(cmd)); |
| 1361 | copy_from_user(&buffer, arg, _IOC_SIZE(cmd))) | 1366 | |
| 1367 | if (_IOC_DIR(cmd) & _IOC_WRITE) | ||
| 1368 | if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd))) | ||
| 1362 | return -EFAULT; | 1369 | return -EFAULT; |
| 1363 | } | ||
| 1364 | 1370 | ||
| 1365 | ret = ioctl_handlers[_IOC_NR(cmd)](client, &buffer); | 1371 | ret = ioctl_handlers[_IOC_NR(cmd)](client, &buffer); |
| 1366 | if (ret < 0) | 1372 | if (ret < 0) |
| 1367 | return ret; | 1373 | return ret; |
| 1368 | 1374 | ||
| 1369 | if (_IOC_DIR(cmd) & _IOC_READ) { | 1375 | if (_IOC_DIR(cmd) & _IOC_READ) |
| 1370 | if (_IOC_SIZE(cmd) > sizeof(buffer) || | 1376 | if (copy_to_user(arg, &buffer, _IOC_SIZE(cmd))) |
| 1371 | copy_to_user(arg, &buffer, _IOC_SIZE(cmd))) | ||
| 1372 | return -EFAULT; | 1377 | return -EFAULT; |
| 1373 | } | ||
| 1374 | 1378 | ||
| 1375 | return ret; | 1379 | return ret; |
| 1376 | } | 1380 | } |