diff options
author | Al Viro <viro@ftp.linux.org.uk> | 2008-05-21 01:32:11 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-21 19:55:59 -0400 |
commit | 79bc12a0a09c2eb1ccbb01c192045f994567bda2 (patch) | |
tree | 184c0e98c967f12b3805ebfbf9c69e6043ca6eb7 /fs | |
parent | 4ec7ffa2df247054d422b48148ad82369a45e986 (diff) |
ecryptfs fixes
memcpy() from userland pointer is a Bad Thing(tm)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/ecryptfs/miscdev.c | 26 |
1 files changed, 12 insertions, 14 deletions
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c index 6560da1a58ce..50c994a249a5 100644 --- a/fs/ecryptfs/miscdev.c +++ b/fs/ecryptfs/miscdev.c | |||
@@ -243,7 +243,6 @@ ecryptfs_miscdev_read(struct file *file, char __user *buf, size_t count, | |||
243 | struct ecryptfs_daemon *daemon; | 243 | struct ecryptfs_daemon *daemon; |
244 | struct ecryptfs_msg_ctx *msg_ctx; | 244 | struct ecryptfs_msg_ctx *msg_ctx; |
245 | size_t packet_length_size; | 245 | size_t packet_length_size; |
246 | u32 counter_nbo; | ||
247 | char packet_length[3]; | 246 | char packet_length[3]; |
248 | size_t i; | 247 | size_t i; |
249 | size_t total_length; | 248 | size_t total_length; |
@@ -328,20 +327,18 @@ check_list: | |||
328 | "pending message\n", __func__, count, total_length); | 327 | "pending message\n", __func__, count, total_length); |
329 | goto out_unlock_msg_ctx; | 328 | goto out_unlock_msg_ctx; |
330 | } | 329 | } |
331 | i = 0; | 330 | rc = -EFAULT; |
332 | buf[i++] = msg_ctx->type; | 331 | if (put_user(msg_ctx->type, buf)) |
333 | counter_nbo = cpu_to_be32(msg_ctx->counter); | 332 | goto out_unlock_msg_ctx; |
334 | memcpy(&buf[i], (char *)&counter_nbo, 4); | 333 | if (put_user(cpu_to_be32(msg_ctx->counter), (__be32 __user *)(buf + 1))) |
335 | i += 4; | 334 | goto out_unlock_msg_ctx; |
335 | i = 5; | ||
336 | if (msg_ctx->msg) { | 336 | if (msg_ctx->msg) { |
337 | memcpy(&buf[i], packet_length, packet_length_size); | 337 | if (copy_to_user(&buf[i], packet_length, packet_length_size)) |
338 | goto out_unlock_msg_ctx; | ||
338 | i += packet_length_size; | 339 | i += packet_length_size; |
339 | rc = copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size); | 340 | if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) |
340 | if (rc) { | ||
341 | printk(KERN_ERR "%s: copy_to_user returned error " | ||
342 | "[%d]\n", __func__, rc); | ||
343 | goto out_unlock_msg_ctx; | 341 | goto out_unlock_msg_ctx; |
344 | } | ||
345 | i += msg_ctx->msg_size; | 342 | i += msg_ctx->msg_size; |
346 | } | 343 | } |
347 | rc = i; | 344 | rc = i; |
@@ -452,7 +449,8 @@ static ssize_t | |||
452 | ecryptfs_miscdev_write(struct file *file, const char __user *buf, | 449 | ecryptfs_miscdev_write(struct file *file, const char __user *buf, |
453 | size_t count, loff_t *ppos) | 450 | size_t count, loff_t *ppos) |
454 | { | 451 | { |
455 | u32 counter_nbo, seq; | 452 | __be32 counter_nbo; |
453 | u32 seq; | ||
456 | size_t packet_size, packet_size_length, i; | 454 | size_t packet_size, packet_size_length, i; |
457 | ssize_t sz = 0; | 455 | ssize_t sz = 0; |
458 | char *data; | 456 | char *data; |
@@ -485,7 +483,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf, | |||
485 | count); | 483 | count); |
486 | goto out_free; | 484 | goto out_free; |
487 | } | 485 | } |
488 | memcpy((char *)&counter_nbo, &data[i], 4); | 486 | memcpy(&counter_nbo, &data[i], 4); |
489 | seq = be32_to_cpu(counter_nbo); | 487 | seq = be32_to_cpu(counter_nbo); |
490 | i += 4; | 488 | i += 4; |
491 | rc = ecryptfs_parse_packet_length(&data[i], &packet_size, | 489 | rc = ecryptfs_parse_packet_length(&data[i], &packet_size, |