diff options
Diffstat (limited to 'drivers/connector/connector.c')
| -rw-r--r-- | drivers/connector/connector.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index 6ecfa758942c..a36749f1e44a 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c | |||
| @@ -109,7 +109,7 @@ int cn_netlink_send(struct cn_msg *msg, u32 __group, gfp_t gfp_mask) | |||
| 109 | 109 | ||
| 110 | data = nlmsg_data(nlh); | 110 | data = nlmsg_data(nlh); |
| 111 | 111 | ||
| 112 | memcpy(data, msg, sizeof(*data) + msg->len); | 112 | memcpy(data, msg, size); |
| 113 | 113 | ||
| 114 | NETLINK_CB(skb).dst_group = group; | 114 | NETLINK_CB(skb).dst_group = group; |
| 115 | 115 | ||
| @@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb) | |||
| 157 | static void cn_rx_skb(struct sk_buff *__skb) | 157 | static void cn_rx_skb(struct sk_buff *__skb) |
| 158 | { | 158 | { |
| 159 | struct nlmsghdr *nlh; | 159 | struct nlmsghdr *nlh; |
| 160 | int err; | ||
| 161 | struct sk_buff *skb; | 160 | struct sk_buff *skb; |
| 161 | int len, err; | ||
| 162 | 162 | ||
| 163 | skb = skb_get(__skb); | 163 | skb = skb_get(__skb); |
| 164 | 164 | ||
| 165 | if (skb->len >= NLMSG_HDRLEN) { | 165 | if (skb->len >= NLMSG_HDRLEN) { |
| 166 | nlh = nlmsg_hdr(skb); | 166 | nlh = nlmsg_hdr(skb); |
| 167 | len = nlmsg_len(nlh); | ||
| 167 | 168 | ||
| 168 | if (nlh->nlmsg_len < sizeof(struct cn_msg) || | 169 | if (len < (int)sizeof(struct cn_msg) || |
| 169 | skb->len < nlh->nlmsg_len || | 170 | skb->len < nlh->nlmsg_len || |
| 170 | nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { | 171 | len > CONNECTOR_MAX_MSG_SIZE) { |
| 171 | kfree_skb(skb); | 172 | kfree_skb(skb); |
| 172 | return; | 173 | return; |
| 173 | } | 174 | } |