ipc: tighten msg copy loops

Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Peter Hurley <peter@hurleysoftware.com> 2013-04-30 22:14:37 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-05-01 11:12:57 -0400
commit: da085d4591a6fe11eac2e1f659f25b655e9f2e53 (patch)
tree: 3f6ce1efcbf85c4a3752ef848c0fdf1e62381688 /ipc
parent: be5f4b335f6e05df1b5c24b7e7d79ff52d7b8dbc (diff)
1 files changed, 11 insertions, 21 deletions
diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index 0a5c8a95c257..b79582d461a4 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -97,18 +97,14 @@ struct msg_msg *load_msg(const void __user *src, int len)
                goto out_err;
        }
-        len -= alen;
+        for (seg = msg->next; seg != NULL; seg = seg->next) {
-        src = ((char __user *)src) + alen;
+                len -= alen;
-        seg = msg->next;
+                src = (char __user *)src + alen;
-        while (len > 0) {
                alen = min(len, DATALEN_SEG);
                if (copy_from_user(seg + 1, src, alen)) {
                        err = -EFAULT;
                        goto out_err;
                }
-                seg = seg->next;
-                len -= alen;
-                src = ((char __user *)src) + alen;
        }
        err = security_msg_msg_alloc(msg);
@@ -135,15 +131,13 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
        alen = min(len, DATALEN_MSG);
        memcpy(dst + 1, src + 1, alen);
-        len -= alen;
+        for (dst_pseg = dst->next, src_pseg = src->next;
-        dst_pseg = dst->next;
+             src_pseg != NULL;
-        src_pseg = src->next;
+             dst_pseg = dst_pseg->next, src_pseg = src_pseg->next) {
-        while (len > 0) {
+                len -= alen;
                alen = min(len, DATALEN_SEG);
                memcpy(dst_pseg + 1, src_pseg + 1, alen);
-                dst_pseg = dst_pseg->next;
-                len -= alen;
-                src_pseg = src_pseg->next;
        }
        dst->m_type = src->m_type;
@@ -166,16 +160,12 @@ int store_msg(void __user *dest, struct msg_msg *msg, int len)
        if (copy_to_user(dest, msg + 1, alen))
                return -1;
-        len -= alen;
+        for (seg = msg->next; seg != NULL; seg = seg->next) {
-        dest = ((char __user *)dest) + alen;
+                len -= alen;
-        seg = msg->next;
+                dest = (char __user *)dest + alen;
-        while (len > 0) {
                alen = min(len, DATALEN_SEG);
                if (copy_to_user(dest, seg + 1, alen))
                        return -1;
-                len -= alen;
-                dest = ((char __user *)dest) + alen;
-                seg = seg->next;
        }
        return 0;
 }
author	Peter Hurley <peter@hurleysoftware.com>	2013-04-30 22:14:37 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-05-01 11:12:57 -0400
commit	da085d4591a6fe11eac2e1f659f25b655e9f2e53 (patch)
tree	3f6ce1efcbf85c4a3752ef848c0fdf1e62381688 /ipc
parent	be5f4b335f6e05df1b5c24b7e7d79ff52d7b8dbc (diff)

diff --git a/ipc/msgutil.c b/ipc/msgutil.c index 0a5c8a95c257..b79582d461a4 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c
@@ -97,18 +97,14 @@ struct msg_msg load_msg(const void __user src, int len)
97	goto out_err;	97	goto out_err;
98	}	98	}
99		99
100	len -= alen;	100	for (seg = msg->next; seg != NULL; seg = seg->next) {
101	src = ((char __user *)src) + alen;	101	len -= alen;
102	seg = msg->next;	102	src = (char __user *)src + alen;
103	while (len > 0) {
104	alen = min(len, DATALEN_SEG);	103	alen = min(len, DATALEN_SEG);
105	if (copy_from_user(seg + 1, src, alen)) {	104	if (copy_from_user(seg + 1, src, alen)) {
106	err = -EFAULT;	105	err = -EFAULT;
107	goto out_err;	106	goto out_err;
108	}	107	}
109	seg = seg->next;
110	len -= alen;
111	src = ((char __user *)src) + alen;
112	}	108	}
113		109
114	err = security_msg_msg_alloc(msg);	110	err = security_msg_msg_alloc(msg);
@@ -135,15 +131,13 @@ struct msg_msg copy_msg(struct msg_msg src, struct msg_msg *dst)
135	alen = min(len, DATALEN_MSG);	131	alen = min(len, DATALEN_MSG);
136	memcpy(dst + 1, src + 1, alen);	132	memcpy(dst + 1, src + 1, alen);
137		133
138	len -= alen;	134	for (dst_pseg = dst->next, src_pseg = src->next;
139	dst_pseg = dst->next;	135	src_pseg != NULL;
140	src_pseg = src->next;	136	dst_pseg = dst_pseg->next, src_pseg = src_pseg->next) {
141	while (len > 0) {	137
		138	len -= alen;
142	alen = min(len, DATALEN_SEG);	139	alen = min(len, DATALEN_SEG);
143	memcpy(dst_pseg + 1, src_pseg + 1, alen);	140	memcpy(dst_pseg + 1, src_pseg + 1, alen);
144	dst_pseg = dst_pseg->next;
145	len -= alen;
146	src_pseg = src_pseg->next;
147	}	141	}
148		142
149	dst->m_type = src->m_type;	143	dst->m_type = src->m_type;
@@ -166,16 +160,12 @@ int store_msg(void __user dest, struct msg_msg msg, int len)
166	if (copy_to_user(dest, msg + 1, alen))	160	if (copy_to_user(dest, msg + 1, alen))
167	return -1;	161	return -1;
168		162
169	len -= alen;	163	for (seg = msg->next; seg != NULL; seg = seg->next) {
170	dest = ((char __user *)dest) + alen;	164	len -= alen;
171	seg = msg->next;	165	dest = (char __user *)dest + alen;
172	while (len > 0) {
173	alen = min(len, DATALEN_SEG);	166	alen = min(len, DATALEN_SEG);
174	if (copy_to_user(dest, seg + 1, alen))	167	if (copy_to_user(dest, seg + 1, alen))
175	return -1;	168	return -1;
176	len -= alen;
177	dest = ((char __user *)dest) + alen;
178	seg = seg->next;
179	}	169	}
180	return 0;	170	return 0;
181	}	171	}