NFC: Copy user space buffer when sending UI frames

Using the userspace IO vector directly is wrong, we should copy it from
user space first.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>

1 files changed, 13 insertions, 2 deletions

diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c
index ed2d17312d61..f0a39456f26b 100644
--- a/net/nfc/llcp/commands.c
+++ b/net/nfc/llcp/commands.c
@@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
         struct sk_buff *pdu;
         struct nfc_llcp_local *local;
         size_t frag_len = 0, remaining_len;
-        u8 *msg_ptr;
+        u8 *msg_ptr, *msg_data;
         int err;
 
         pr_debug("Send UI frame len %zd\n", len);
@@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
         if (local == NULL)
                 return -ENODEV;
 
+        msg_data = kzalloc(len, GFP_KERNEL);
+        if (msg_data == NULL)
+                return -ENOMEM;
+
+        if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) {
+                kfree(msg_data);
+                return -EFAULT;
+        }
+
         remaining_len = len;
-        msg_ptr = (u8 *) msg->msg_iov;
+        msg_ptr = msg_data;
 
         while (remaining_len > 0) {
 
@@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
                 msg_ptr += frag_len;
         }
 
+        kfree(msg_data);
+
         return len;
 }