1 files changed, 31 insertions, 31 deletions
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index d41ba8e56c10..13992e1d2726 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
 #include <linux/skbuff.h>
 #include <linux/udp.h>
 #include <linux/slab.h>
+#include <linux/vmalloc.h>
 #include <net/sock.h>
 #include <net/inet_common.h>
 #include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 #endif
 #ifdef CONFIG_ECONET_AUNUDP
        struct msghdr udpmsg;
-        struct iovec iov[msg->msg_iovlen+1];
+        struct iovec iov[2];
        struct aunhdr ah;
        struct sockaddr_in udpdest;
        __kernel_size_t size;
-        int i;
        mm_segment_t oldfs;
+        char *userbuf;
 #endif
        /*
@@ -319,17 +320,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                }
        }
-        if (len + 15 > dev->mtu) {
-                mutex_unlock(&econet_mutex);
-                return -EMSGSIZE;
-        }
        if (dev->type == ARPHRD_ECONET) {
                /* Real hardware Econet.  We're not worthy etc. */
 #ifdef CONFIG_ECONET_NATIVE
                unsigned short proto = 0;
                int res;
+                if (len + 15 > dev->mtu) {
+                        mutex_unlock(&econet_mutex);
+                        return -EMSGSIZE;
+                }
                dev_hold(dev);
                skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -405,6 +406,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                return -ENETDOWN;               /* No socket - can't send */
        }
+        if (len > 32768) {
+                err = -E2BIG;
+                goto error;
+        }
        /* Make up a UDP datagram and hand it off to some higher intellect. */
        memset(&udpdest, 0, sizeof(udpdest));
@@ -436,36 +442,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        /* tack our header on the front of the iovec */
        size = sizeof(struct aunhdr);
-        /*
-         * XXX: that is b0rken.  We can't mix userland and kernel pointers
-         * in iovec, since on a lot of platforms copy_from_user() will
-         * *not* work with the kernel and userland ones at the same time,
-         * regardless of what we do with set_fs().  And we are talking about
-         * econet-over-ethernet here, so "it's only ARM anyway" doesn't
-         * apply.  Any suggestions on fixing that code?         -- AV
-         */
        iov[0].iov_base = (void *)&ah;
        iov[0].iov_len = size;
-        for (i = 0; i < msg->msg_iovlen; i++) {
-                void __user *base = msg->msg_iov[i].iov_base;
+        userbuf = vmalloc(len);
-                size_t iov_len = msg->msg_iov[i].iov_len;
+        if (userbuf == NULL) {
-                /* Check it now since we switch to KERNEL_DS later. */
+                err = -ENOMEM;
-                if (!access_ok(VERIFY_READ, base, iov_len)) {
+                goto error;
-                        mutex_unlock(&econet_mutex);
-                        return -EFAULT;
-                }
-                iov[i+1].iov_base = base;
-                iov[i+1].iov_len = iov_len;
-                size += iov_len;
        }
+        iov[1].iov_base = userbuf;
+        iov[1].iov_len = len;
+        err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
+        if (err)
+                goto error_free_buf;
        /* Get a skbuff (no data, just holds our cb information) */
        if ((skb = sock_alloc_send_skb(sk, 0,
                                       msg->msg_flags & MSG_DONTWAIT,
-                                       &err)) == NULL) {
+                                       &err)) == NULL)
-                mutex_unlock(&econet_mutex);
+                goto error_free_buf;
-                return err;
-        }
        eb = (struct ec_cb *)&skb->cb;
@@ -481,7 +477,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        udpmsg.msg_name = (void *)&udpdest;
        udpmsg.msg_namelen = sizeof(udpdest);
        udpmsg.msg_iov = &iov[0];
-        udpmsg.msg_iovlen = msg->msg_iovlen + 1;
+        udpmsg.msg_iovlen = 2;
        udpmsg.msg_control = NULL;
        udpmsg.msg_controllen = 0;
        udpmsg.msg_flags=0;
@@ -489,9 +485,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        oldfs = get_fs(); set_fs(KERNEL_DS);    /* More privs :-) */
        err = sock_sendmsg(udpsock, &udpmsg, size);
        set_fs(oldfs);
+error_free_buf:
+        vfree(userbuf);
 #else
        err = -EPROTOTYPE;
 #endif
+        error:
        mutex_unlock(&econet_mutex);
        return err;

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index d41ba8e56c10..13992e1d2726 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
31	#include <linux/skbuff.h>	31	#include <linux/skbuff.h>
32	#include <linux/udp.h>	32	#include <linux/udp.h>
33	#include <linux/slab.h>	33	#include <linux/slab.h>
		34	#include <linux/vmalloc.h>
34	#include <net/sock.h>	35	#include <net/sock.h>
35	#include <net/inet_common.h>	36	#include <net/inet_common.h>
36	#include <linux/stat.h>	37	#include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
276	#endif	277	#endif
277	#ifdef CONFIG_ECONET_AUNUDP	278	#ifdef CONFIG_ECONET_AUNUDP
278	struct msghdr udpmsg;	279	struct msghdr udpmsg;
279	struct iovec iov[msg->msg_iovlen+1];	280	struct iovec iov[2];
280	struct aunhdr ah;	281	struct aunhdr ah;
281	struct sockaddr_in udpdest;	282	struct sockaddr_in udpdest;
282	__kernel_size_t size;	283	__kernel_size_t size;
283	int i;
284	mm_segment_t oldfs;	284	mm_segment_t oldfs;
		285	char *userbuf;
285	#endif	286	#endif
286		287
287	/*	288	/*
@@ -319,17 +320,17 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
319	}	320	}
320	}	321	}
321		322
322	if (len + 15 > dev->mtu) {
323	mutex_unlock(&econet_mutex);
324	return -EMSGSIZE;
325	}
326
327	if (dev->type == ARPHRD_ECONET) {	323	if (dev->type == ARPHRD_ECONET) {
328	/* Real hardware Econet. We're not worthy etc. */	324	/* Real hardware Econet. We're not worthy etc. */
329	#ifdef CONFIG_ECONET_NATIVE	325	#ifdef CONFIG_ECONET_NATIVE
330	unsigned short proto = 0;	326	unsigned short proto = 0;
331	int res;	327	int res;
332		328
		329	if (len + 15 > dev->mtu) {
		330	mutex_unlock(&econet_mutex);
		331	return -EMSGSIZE;
		332	}
		333
333	dev_hold(dev);	334	dev_hold(dev);
334		335
335	skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),	336	skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -405,6 +406,11 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
405	return -ENETDOWN; /* No socket - can't send */	406	return -ENETDOWN; /* No socket - can't send */
406	}	407	}
407		408
		409	if (len > 32768) {
		410	err = -E2BIG;
		411	goto error;
		412	}
		413
408	/* Make up a UDP datagram and hand it off to some higher intellect. */	414	/* Make up a UDP datagram and hand it off to some higher intellect. */
409		415
410	memset(&udpdest, 0, sizeof(udpdest));	416	memset(&udpdest, 0, sizeof(udpdest));
@@ -436,36 +442,26 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
436		442
437	/* tack our header on the front of the iovec */	443	/* tack our header on the front of the iovec */
438	size = sizeof(struct aunhdr);	444	size = sizeof(struct aunhdr);
439	/*
440	* XXX: that is b0rken. We can't mix userland and kernel pointers
441	* in iovec, since on a lot of platforms copy_from_user() will
442	* not work with the kernel and userland ones at the same time,
443	* regardless of what we do with set_fs(). And we are talking about
444	* econet-over-ethernet here, so "it's only ARM anyway" doesn't
445	* apply. Any suggestions on fixing that code? -- AV
446	*/
447	iov[0].iov_base = (void *)&ah;	445	iov[0].iov_base = (void *)&ah;
448	iov[0].iov_len = size;	446	iov[0].iov_len = size;
449	for (i = 0; i < msg->msg_iovlen; i++) {	447
450	void __user *base = msg->msg_iov[i].iov_base;	448	userbuf = vmalloc(len);
451	size_t iov_len = msg->msg_iov[i].iov_len;	449	if (userbuf == NULL) {
452	/* Check it now since we switch to KERNEL_DS later. */	450	err = -ENOMEM;
453	if (!access_ok(VERIFY_READ, base, iov_len)) {	451	goto error;
454	mutex_unlock(&econet_mutex);
455	return -EFAULT;
456	}
457	iov[i+1].iov_base = base;
458	iov[i+1].iov_len = iov_len;
459	size += iov_len;
460	}	452	}
461		453
		454	iov[1].iov_base = userbuf;
		455	iov[1].iov_len = len;
		456	err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
		457	if (err)
		458	goto error_free_buf;
		459
462	/* Get a skbuff (no data, just holds our cb information) */	460	/* Get a skbuff (no data, just holds our cb information) */
463	if ((skb = sock_alloc_send_skb(sk, 0,	461	if ((skb = sock_alloc_send_skb(sk, 0,
464	msg->msg_flags & MSG_DONTWAIT,	462	msg->msg_flags & MSG_DONTWAIT,
465	&err)) == NULL) {	463	&err)) == NULL)
466	mutex_unlock(&econet_mutex);	464	goto error_free_buf;
467	return err;
468	}
469		465
470	eb = (struct ec_cb *)&skb->cb;	466	eb = (struct ec_cb *)&skb->cb;
471		467
@@ -481,7 +477,7 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
481	udpmsg.msg_name = (void *)&udpdest;	477	udpmsg.msg_name = (void *)&udpdest;
482	udpmsg.msg_namelen = sizeof(udpdest);	478	udpmsg.msg_namelen = sizeof(udpdest);
483	udpmsg.msg_iov = &iov[0];	479	udpmsg.msg_iov = &iov[0];
484	udpmsg.msg_iovlen = msg->msg_iovlen + 1;	480	udpmsg.msg_iovlen = 2;
485	udpmsg.msg_control = NULL;	481	udpmsg.msg_control = NULL;
486	udpmsg.msg_controllen = 0;	482	udpmsg.msg_controllen = 0;
487	udpmsg.msg_flags=0;	483	udpmsg.msg_flags=0;
@@ -489,9 +485,13 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
489	oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */	485	oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */
490	err = sock_sendmsg(udpsock, &udpmsg, size);	486	err = sock_sendmsg(udpsock, &udpmsg, size);
491	set_fs(oldfs);	487	set_fs(oldfs);
		488
		489	error_free_buf:
		490	vfree(userbuf);
492	#else	491	#else
493	err = -EPROTOTYPE;	492	err = -EPROTOTYPE;
494	#endif	493	#endif
		494	error:
495	mutex_unlock(&econet_mutex);	495	mutex_unlock(&econet_mutex);
496		496
497	return err;	497	return err;