aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--arch/sparc/kernel/sys_sparc.c10
-rw-r--r--arch/sparc64/kernel/sys_sparc.c10
-rw-r--r--drivers/sbus/char/openprom.c13
3 files changed, 22 insertions, 11 deletions
diff --git a/arch/sparc/kernel/sys_sparc.c b/arch/sparc/kernel/sys_sparc.c
index 94ff58c9d4a9..896863fb208a 100644
--- a/arch/sparc/kernel/sys_sparc.c
+++ b/arch/sparc/kernel/sys_sparc.c
@@ -470,19 +470,21 @@ asmlinkage int sys_getdomainname(char __user *name, int len)
470{ 470{
471 int nlen, err; 471 int nlen, err;
472 472
473 if (len < 0 || len > __NEW_UTS_LEN) 473 if (len < 0)
474 return -EINVAL; 474 return -EINVAL;
475 475
476 down_read(&uts_sem); 476 down_read(&uts_sem);
477 477
478 nlen = strlen(system_utsname.domainname) + 1; 478 nlen = strlen(system_utsname.domainname) + 1;
479 if (nlen < len) 479 err = -EINVAL;
480 len = nlen; 480 if (nlen > len)
481 goto out;
481 482
482 err = -EFAULT; 483 err = -EFAULT;
483 if (!copy_to_user(name, system_utsname.domainname, len)) 484 if (!copy_to_user(name, system_utsname.domainname, nlen))
484 err = 0; 485 err = 0;
485 486
487out:
486 up_read(&uts_sem); 488 up_read(&uts_sem);
487 return err; 489 return err;
488} 490}
diff --git a/arch/sparc64/kernel/sys_sparc.c b/arch/sparc64/kernel/sys_sparc.c
index bf5f14ee73de..c608c947e6c3 100644
--- a/arch/sparc64/kernel/sys_sparc.c
+++ b/arch/sparc64/kernel/sys_sparc.c
@@ -707,19 +707,21 @@ asmlinkage long sys_getdomainname(char __user *name, int len)
707{ 707{
708 int nlen, err; 708 int nlen, err;
709 709
710 if (len < 0 || len > __NEW_UTS_LEN) 710 if (len < 0)
711 return -EINVAL; 711 return -EINVAL;
712 712
713 down_read(&uts_sem); 713 down_read(&uts_sem);
714 714
715 nlen = strlen(system_utsname.domainname) + 1; 715 nlen = strlen(system_utsname.domainname) + 1;
716 if (nlen < len) 716 err = -EINVAL;
717 len = nlen; 717 if (nlen > len)
718 goto out;
718 719
719 err = -EFAULT; 720 err = -EFAULT;
720 if (!copy_to_user(name, system_utsname.domainname, len)) 721 if (!copy_to_user(name, system_utsname.domainname, nlen))
721 err = 0; 722 err = 0;
722 723
724out:
723 up_read(&uts_sem); 725 up_read(&uts_sem);
724 return err; 726 return err;
725} 727}
diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
index 293bb2fdb1d5..2f698763ba5d 100644
--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -145,8 +145,9 @@ static int opromgetprop(void __user *argp, struct device_node *dp, struct openpr
145 void *pval; 145 void *pval;
146 int len; 146 int len;
147 147
148 pval = of_get_property(dp, op->oprom_array, &len); 148 if (!dp ||
149 if (!pval || len <= 0 || len > bufsize) 149 !(pval = of_get_property(dp, op->oprom_array, &len)) ||
150 len <= 0 || len > bufsize)
150 return copyout(argp, op, sizeof(int)); 151 return copyout(argp, op, sizeof(int));
151 152
152 memcpy(op->oprom_array, pval, len); 153 memcpy(op->oprom_array, pval, len);
@@ -161,6 +162,8 @@ static int opromnxtprop(void __user *argp, struct device_node *dp, struct openpr
161 struct property *prop; 162 struct property *prop;
162 int len; 163 int len;
163 164
165 if (!dp)
166 return copyout(argp, op, sizeof(int));
164 if (op->oprom_array[0] == '\0') { 167 if (op->oprom_array[0] == '\0') {
165 prop = dp->properties; 168 prop = dp->properties;
166 if (!prop) 169 if (!prop)
@@ -266,9 +269,13 @@ static int oprompci2node(void __user *argp, struct device_node *dp, struct openp
266 269
267static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data) 270static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data)
268{ 271{
272 phandle ph = 0;
273
269 dp = of_find_node_by_path(op->oprom_array); 274 dp = of_find_node_by_path(op->oprom_array);
275 if (dp)
276 ph = dp->node;
270 data->current_node = dp; 277 data->current_node = dp;
271 *((int *)op->oprom_array) = dp->node; 278 *((int *)op->oprom_array) = ph;
272 op->oprom_size = sizeof(int); 279 op->oprom_size = sizeof(int);
273 280
274 return copyout(argp, op, bufsize + sizeof(int)); 281 return copyout(argp, op, bufsize + sizeof(int));