diff options
| author | Al Viro <viro@ftp.linux.org.uk> | 2008-05-21 01:32:11 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-21 19:55:59 -0400 |
| commit | 79bc12a0a09c2eb1ccbb01c192045f994567bda2 (patch) | |
| tree | 184c0e98c967f12b3805ebfbf9c69e6043ca6eb7 /fs/ecryptfs/miscdev.c | |
| parent | 4ec7ffa2df247054d422b48148ad82369a45e986 (diff) | |
ecryptfs fixes
memcpy() from userland pointer is a Bad Thing(tm)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/ecryptfs/miscdev.c')
| -rw-r--r-- | fs/ecryptfs/miscdev.c | 26 |
1 files changed, 12 insertions, 14 deletions
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c index 6560da1a58ce..50c994a249a5 100644 --- a/fs/ecryptfs/miscdev.c +++ b/fs/ecryptfs/miscdev.c | |||
| @@ -243,7 +243,6 @@ ecryptfs_miscdev_read(struct file *file, char __user *buf, size_t count, | |||
| 243 | struct ecryptfs_daemon *daemon; | 243 | struct ecryptfs_daemon *daemon; |
| 244 | struct ecryptfs_msg_ctx *msg_ctx; | 244 | struct ecryptfs_msg_ctx *msg_ctx; |
| 245 | size_t packet_length_size; | 245 | size_t packet_length_size; |
| 246 | u32 counter_nbo; | ||
| 247 | char packet_length[3]; | 246 | char packet_length[3]; |
| 248 | size_t i; | 247 | size_t i; |
| 249 | size_t total_length; | 248 | size_t total_length; |
| @@ -328,20 +327,18 @@ check_list: | |||
| 328 | "pending message\n", __func__, count, total_length); | 327 | "pending message\n", __func__, count, total_length); |
| 329 | goto out_unlock_msg_ctx; | 328 | goto out_unlock_msg_ctx; |
| 330 | } | 329 | } |
| 331 | i = 0; | 330 | rc = -EFAULT; |
| 332 | buf[i++] = msg_ctx->type; | 331 | if (put_user(msg_ctx->type, buf)) |
| 333 | counter_nbo = cpu_to_be32(msg_ctx->counter); | 332 | goto out_unlock_msg_ctx; |
| 334 | memcpy(&buf[i], (char *)&counter_nbo, 4); | 333 | if (put_user(cpu_to_be32(msg_ctx->counter), (__be32 __user *)(buf + 1))) |
| 335 | i += 4; | 334 | goto out_unlock_msg_ctx; |
| 335 | i = 5; | ||
| 336 | if (msg_ctx->msg) { | 336 | if (msg_ctx->msg) { |
| 337 | memcpy(&buf[i], packet_length, packet_length_size); | 337 | if (copy_to_user(&buf[i], packet_length, packet_length_size)) |
| 338 | goto out_unlock_msg_ctx; | ||
| 338 | i += packet_length_size; | 339 | i += packet_length_size; |
| 339 | rc = copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size); | 340 | if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) |
| 340 | if (rc) { | ||
| 341 | printk(KERN_ERR "%s: copy_to_user returned error " | ||
| 342 | "[%d]\n", __func__, rc); | ||
| 343 | goto out_unlock_msg_ctx; | 341 | goto out_unlock_msg_ctx; |
| 344 | } | ||
| 345 | i += msg_ctx->msg_size; | 342 | i += msg_ctx->msg_size; |
| 346 | } | 343 | } |
| 347 | rc = i; | 344 | rc = i; |
| @@ -452,7 +449,8 @@ static ssize_t | |||
| 452 | ecryptfs_miscdev_write(struct file *file, const char __user *buf, | 449 | ecryptfs_miscdev_write(struct file *file, const char __user *buf, |
| 453 | size_t count, loff_t *ppos) | 450 | size_t count, loff_t *ppos) |
| 454 | { | 451 | { |
| 455 | u32 counter_nbo, seq; | 452 | __be32 counter_nbo; |
| 453 | u32 seq; | ||
| 456 | size_t packet_size, packet_size_length, i; | 454 | size_t packet_size, packet_size_length, i; |
| 457 | ssize_t sz = 0; | 455 | ssize_t sz = 0; |
| 458 | char *data; | 456 | char *data; |
| @@ -485,7 +483,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf, | |||
| 485 | count); | 483 | count); |
| 486 | goto out_free; | 484 | goto out_free; |
| 487 | } | 485 | } |
| 488 | memcpy((char *)&counter_nbo, &data[i], 4); | 486 | memcpy(&counter_nbo, &data[i], 4); |
| 489 | seq = be32_to_cpu(counter_nbo); | 487 | seq = be32_to_cpu(counter_nbo); |
| 490 | i += 4; | 488 | i += 4; |
| 491 | rc = ecryptfs_parse_packet_length(&data[i], &packet_size, | 489 | rc = ecryptfs_parse_packet_length(&data[i], &packet_size, |