diff options
| author | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2009-03-15 15:17:01 -0400 |
|---|---|---|
| committer | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2009-04-22 04:54:13 -0400 |
| commit | 57ea34d19963781d05eb12f9b31bd4f70d61ec16 (patch) | |
| tree | 5a912a7515234eb73147c32197ecbc7ca429bde8 /fs/ecryptfs/miscdev.c | |
| parent | ae6e84596e7b321d9a08e81679c6a3f799634636 (diff) | |
eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()
If data is NULL, msg_ctx->msg is set to NULL and then dereferenced
afterwards. ecryptfs_send_raw_message() is the only place that
ecryptfs_send_miscdev() is called with data being NULL, but the only
caller of that function (ecryptfs_process_helo()) is never called. In
short, there is currently no way to trigger the NULL pointer
dereference.
This patch removes the two unused functions and modifies
ecryptfs_send_miscdev() to remove the NULL dereferences.
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Diffstat (limited to 'fs/ecryptfs/miscdev.c')
| -rw-r--r-- | fs/ecryptfs/miscdev.c | 28 |
1 files changed, 11 insertions, 17 deletions
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c index dda3c58eefc0..4ec8f61ccf5a 100644 --- a/fs/ecryptfs/miscdev.c +++ b/fs/ecryptfs/miscdev.c | |||
| @@ -193,26 +193,20 @@ int ecryptfs_send_miscdev(char *data, size_t data_size, | |||
| 193 | int rc = 0; | 193 | int rc = 0; |
| 194 | 194 | ||
| 195 | mutex_lock(&msg_ctx->mux); | 195 | mutex_lock(&msg_ctx->mux); |
| 196 | if (data) { | 196 | msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size), |
| 197 | msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size), | 197 | GFP_KERNEL); |
| 198 | GFP_KERNEL); | 198 | if (!msg_ctx->msg) { |
| 199 | if (!msg_ctx->msg) { | 199 | rc = -ENOMEM; |
| 200 | rc = -ENOMEM; | 200 | printk(KERN_ERR "%s: Out of memory whilst attempting " |
| 201 | printk(KERN_ERR "%s: Out of memory whilst attempting " | 201 | "to kmalloc(%zd, GFP_KERNEL)\n", __func__, |
| 202 | "to kmalloc(%zd, GFP_KERNEL)\n", __func__, | 202 | (sizeof(*msg_ctx->msg) + data_size)); |
| 203 | (sizeof(*msg_ctx->msg) + data_size)); | 203 | goto out_unlock; |
| 204 | goto out_unlock; | 204 | } |
| 205 | } | ||
| 206 | } else | ||
| 207 | msg_ctx->msg = NULL; | ||
| 208 | msg_ctx->msg->index = msg_ctx->index; | 205 | msg_ctx->msg->index = msg_ctx->index; |
| 209 | msg_ctx->msg->data_len = data_size; | 206 | msg_ctx->msg->data_len = data_size; |
| 210 | msg_ctx->type = msg_type; | 207 | msg_ctx->type = msg_type; |
| 211 | if (data) { | 208 | memcpy(msg_ctx->msg->data, data, data_size); |
| 212 | memcpy(msg_ctx->msg->data, data, data_size); | 209 | msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size); |
| 213 | msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size); | ||
| 214 | } else | ||
| 215 | msg_ctx->msg_size = 0; | ||
| 216 | mutex_lock(&daemon->mux); | 210 | mutex_lock(&daemon->mux); |
| 217 | list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue); | 211 | list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue); |
| 218 | daemon->num_queued_msg_ctx++; | 212 | daemon->num_queued_msg_ctx++; |