aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorAl Viro <viro@ftp.linux.org.uk>2008-05-21 01:32:11 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-05-21 19:55:59 -0400
commit79bc12a0a09c2eb1ccbb01c192045f994567bda2 (patch)
tree184c0e98c967f12b3805ebfbf9c69e6043ca6eb7 /fs
parent4ec7ffa2df247054d422b48148ad82369a45e986 (diff)
ecryptfs fixes
memcpy() from userland pointer is a Bad Thing(tm) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
-rw-r--r--fs/ecryptfs/miscdev.c26
1 files changed, 12 insertions, 14 deletions
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
index 6560da1a58ce..50c994a249a5 100644
--- a/fs/ecryptfs/miscdev.c
+++ b/fs/ecryptfs/miscdev.c
@@ -243,7 +243,6 @@ ecryptfs_miscdev_read(struct file *file, char __user *buf, size_t count,
243 struct ecryptfs_daemon *daemon; 243 struct ecryptfs_daemon *daemon;
244 struct ecryptfs_msg_ctx *msg_ctx; 244 struct ecryptfs_msg_ctx *msg_ctx;
245 size_t packet_length_size; 245 size_t packet_length_size;
246 u32 counter_nbo;
247 char packet_length[3]; 246 char packet_length[3];
248 size_t i; 247 size_t i;
249 size_t total_length; 248 size_t total_length;
@@ -328,20 +327,18 @@ check_list:
328 "pending message\n", __func__, count, total_length); 327 "pending message\n", __func__, count, total_length);
329 goto out_unlock_msg_ctx; 328 goto out_unlock_msg_ctx;
330 } 329 }
331 i = 0; 330 rc = -EFAULT;
332 buf[i++] = msg_ctx->type; 331 if (put_user(msg_ctx->type, buf))
333 counter_nbo = cpu_to_be32(msg_ctx->counter); 332 goto out_unlock_msg_ctx;
334 memcpy(&buf[i], (char *)&counter_nbo, 4); 333 if (put_user(cpu_to_be32(msg_ctx->counter), (__be32 __user *)(buf + 1)))
335 i += 4; 334 goto out_unlock_msg_ctx;
335 i = 5;
336 if (msg_ctx->msg) { 336 if (msg_ctx->msg) {
337 memcpy(&buf[i], packet_length, packet_length_size); 337 if (copy_to_user(&buf[i], packet_length, packet_length_size))
338 goto out_unlock_msg_ctx;
338 i += packet_length_size; 339 i += packet_length_size;
339 rc = copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size); 340 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
340 if (rc) {
341 printk(KERN_ERR "%s: copy_to_user returned error "
342 "[%d]\n", __func__, rc);
343 goto out_unlock_msg_ctx; 341 goto out_unlock_msg_ctx;
344 }
345 i += msg_ctx->msg_size; 342 i += msg_ctx->msg_size;
346 } 343 }
347 rc = i; 344 rc = i;
@@ -452,7 +449,8 @@ static ssize_t
452ecryptfs_miscdev_write(struct file *file, const char __user *buf, 449ecryptfs_miscdev_write(struct file *file, const char __user *buf,
453 size_t count, loff_t *ppos) 450 size_t count, loff_t *ppos)
454{ 451{
455 u32 counter_nbo, seq; 452 __be32 counter_nbo;
453 u32 seq;
456 size_t packet_size, packet_size_length, i; 454 size_t packet_size, packet_size_length, i;
457 ssize_t sz = 0; 455 ssize_t sz = 0;
458 char *data; 456 char *data;
@@ -485,7 +483,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
485 count); 483 count);
486 goto out_free; 484 goto out_free;
487 } 485 }
488 memcpy((char *)&counter_nbo, &data[i], 4); 486 memcpy(&counter_nbo, &data[i], 4);
489 seq = be32_to_cpu(counter_nbo); 487 seq = be32_to_cpu(counter_nbo);
490 i += 4; 488 i += 4;
491 rc = ecryptfs_parse_packet_length(&data[i], &packet_size, 489 rc = ecryptfs_parse_packet_length(&data[i], &packet_size,