aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>2009-05-11 10:24:47 -0400
committerRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>2009-05-11 12:48:54 -0400
commit83aca8f480fcd2d9748301a5d060cf947dc75b94 (patch)
tree008c96d1017b835e3d54344c0a2c77d780086979 /fs
parent4f6b828837b4e3836f2c9ac2f0eab9773b6c1327 (diff)
nilfs2: check size of array structured data exchanged via ioctls
Although some ioctls of nilfs2 exchange data in the form of indirectly referenced array, some of them lack size check on the array elements. This inserts the missing checks and rejects requests if data of ioctl does not have a valid format. We usually don't have to check size of structures that we associated with ioctl commands because the size is tested implicitly for identifying ioctl command; the checks this patch adds are for the cases where the implicit check is not applied. Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Diffstat (limited to 'fs')
-rw-r--r--fs/nilfs2/ioctl.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 49489f68eabe..50ff3f2cdf24 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -254,6 +254,9 @@ static int nilfs_ioctl_get_bdescs(struct inode *inode, struct file *filp,
254 if (copy_from_user(&argv, argp, sizeof(argv))) 254 if (copy_from_user(&argv, argp, sizeof(argv)))
255 return -EFAULT; 255 return -EFAULT;
256 256
257 if (argv.v_size != sizeof(struct nilfs_bdesc))
258 return -EINVAL;
259
257 ret = nilfs_ioctl_wrap_copy(nilfs, &argv, _IOC_DIR(cmd), 260 ret = nilfs_ioctl_wrap_copy(nilfs, &argv, _IOC_DIR(cmd),
258 nilfs_ioctl_do_get_bdescs); 261 nilfs_ioctl_do_get_bdescs);
259 if (ret < 0) 262 if (ret < 0)
@@ -599,6 +602,7 @@ static int nilfs_ioctl_sync(struct inode *inode, struct file *filp,
599 602
600static int nilfs_ioctl_get_info(struct inode *inode, struct file *filp, 603static int nilfs_ioctl_get_info(struct inode *inode, struct file *filp,
601 unsigned int cmd, void __user *argp, 604 unsigned int cmd, void __user *argp,
605 size_t membsz,
602 ssize_t (*dofunc)(struct the_nilfs *, 606 ssize_t (*dofunc)(struct the_nilfs *,
603 __u64 *, int, 607 __u64 *, int,
604 void *, size_t, size_t)) 608 void *, size_t, size_t))
@@ -611,6 +615,9 @@ static int nilfs_ioctl_get_info(struct inode *inode, struct file *filp,
611 if (copy_from_user(&argv, argp, sizeof(argv))) 615 if (copy_from_user(&argv, argp, sizeof(argv)))
612 return -EFAULT; 616 return -EFAULT;
613 617
618 if (argv.v_size != membsz)
619 return -EINVAL;
620
614 ret = nilfs_ioctl_wrap_copy(nilfs, &argv, _IOC_DIR(cmd), dofunc); 621 ret = nilfs_ioctl_wrap_copy(nilfs, &argv, _IOC_DIR(cmd), dofunc);
615 if (ret < 0) 622 if (ret < 0)
616 return ret; 623 return ret;
@@ -632,16 +639,19 @@ long nilfs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
632 return nilfs_ioctl_delete_checkpoint(inode, filp, cmd, argp); 639 return nilfs_ioctl_delete_checkpoint(inode, filp, cmd, argp);
633 case NILFS_IOCTL_GET_CPINFO: 640 case NILFS_IOCTL_GET_CPINFO:
634 return nilfs_ioctl_get_info(inode, filp, cmd, argp, 641 return nilfs_ioctl_get_info(inode, filp, cmd, argp,
642 sizeof(struct nilfs_cpinfo),
635 nilfs_ioctl_do_get_cpinfo); 643 nilfs_ioctl_do_get_cpinfo);
636 case NILFS_IOCTL_GET_CPSTAT: 644 case NILFS_IOCTL_GET_CPSTAT:
637 return nilfs_ioctl_get_cpstat(inode, filp, cmd, argp); 645 return nilfs_ioctl_get_cpstat(inode, filp, cmd, argp);
638 case NILFS_IOCTL_GET_SUINFO: 646 case NILFS_IOCTL_GET_SUINFO:
639 return nilfs_ioctl_get_info(inode, filp, cmd, argp, 647 return nilfs_ioctl_get_info(inode, filp, cmd, argp,
648 sizeof(struct nilfs_suinfo),
640 nilfs_ioctl_do_get_suinfo); 649 nilfs_ioctl_do_get_suinfo);
641 case NILFS_IOCTL_GET_SUSTAT: 650 case NILFS_IOCTL_GET_SUSTAT:
642 return nilfs_ioctl_get_sustat(inode, filp, cmd, argp); 651 return nilfs_ioctl_get_sustat(inode, filp, cmd, argp);
643 case NILFS_IOCTL_GET_VINFO: 652 case NILFS_IOCTL_GET_VINFO:
644 return nilfs_ioctl_get_info(inode, filp, cmd, argp, 653 return nilfs_ioctl_get_info(inode, filp, cmd, argp,
654 sizeof(struct nilfs_vinfo),
645 nilfs_ioctl_do_get_vinfo); 655 nilfs_ioctl_do_get_vinfo);
646 case NILFS_IOCTL_GET_BDESCS: 656 case NILFS_IOCTL_GET_BDESCS:
647 return nilfs_ioctl_get_bdescs(inode, filp, cmd, argp); 657 return nilfs_ioctl_get_bdescs(inode, filp, cmd, argp);