2 files changed, 13 insertions, 14 deletions
diff --git a/net/core/iovec.c b/net/core/iovec.c
index 72aceb1fe4fa..c40f27e7d208 100644
--- a/net/core/iovec.c
+++ b/net/core/iovec.c
@@ -35,10 +35,9 @@
 *      in any case.
 */
-long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
+int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
 {
-        int size, ct;
+        int size, ct, err;
-        long err;
        if (m->msg_namelen) {
                if (mode == VERIFY_READ) {
@@ -62,14 +61,13 @@ long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
        err = 0;
        for (ct = 0; ct < m->msg_iovlen; ct++) {
-                err += iov[ct].iov_len;
+                size_t len = iov[ct].iov_len;
-                /*
-                 * Goal is not to verify user data, but to prevent returning
+                if (len > INT_MAX - err) {
-                 * negative value, which is interpreted as errno.
+                        len = INT_MAX - err;
-                 * Overflow is still possible, but it is harmless.
+                        iov[ct].iov_len = len;
-                 */
+                }
-                if (err < 0)
+                err += len;
-                        return -EMSGSIZE;
        }
        return err;
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 679b797d06b1..fbce4b05a53e 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -887,10 +887,11 @@ static ssize_t pktgen_if_write(struct file *file,
        i += len;
        if (debug) {
-                char tb[count + 1];
+                size_t copy = min(count, 1023);
-                if (copy_from_user(tb, user_buffer, count))
+                char tb[copy + 1];
+                if (copy_from_user(tb, user_buffer, copy))
                        return -EFAULT;
-                tb[count] = 0;
+                tb[copy] = 0;
                printk(KERN_DEBUG "pktgen: %s,%lu  buffer -:%s:-\n", name,
                       (unsigned long)count, tb);
        }

diff --git a/net/core/iovec.c b/net/core/iovec.c index 72aceb1fe4fa..c40f27e7d208 100644 --- a/net/core/iovec.c +++ b/net/core/iovec.c
@@ -35,10 +35,9 @@
35	* in any case.	35	* in any case.
36	*/	36	*/
37		37
38	long verify_iovec(struct msghdr m, struct iovec iov, struct sockaddr *address, int mode)	38	int verify_iovec(struct msghdr m, struct iovec iov, struct sockaddr *address, int mode)
39	{	39	{
40	int size, ct;	40	int size, ct, err;
41	long err;
42		41
43	if (m->msg_namelen) {	42	if (m->msg_namelen) {
44	if (mode == VERIFY_READ) {	43	if (mode == VERIFY_READ) {
@@ -62,14 +61,13 @@ long verify_iovec(struct msghdr m, struct iovec iov, struct sockaddr *address,
62	err = 0;	61	err = 0;
63		62
64	for (ct = 0; ct < m->msg_iovlen; ct++) {	63	for (ct = 0; ct < m->msg_iovlen; ct++) {
65	err += iov[ct].iov_len;	64	size_t len = iov[ct].iov_len;
66	/*	65
67	* Goal is not to verify user data, but to prevent returning	66	if (len > INT_MAX - err) {
68	* negative value, which is interpreted as errno.	67	len = INT_MAX - err;
69	* Overflow is still possible, but it is harmless.	68	iov[ct].iov_len = len;
70	*/	69	}
71	if (err < 0)	70	err += len;
72	return -EMSGSIZE;
73	}	71	}
74		72
75	return err;	73	return err;


diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 679b797d06b1..fbce4b05a53e 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c
@@ -887,10 +887,11 @@ static ssize_t pktgen_if_write(struct file *file,
887	i += len;	887	i += len;
888		888
889	if (debug) {	889	if (debug) {
890	char tb[count + 1];	890	size_t copy = min(count, 1023);
891	if (copy_from_user(tb, user_buffer, count))	891	char tb[copy + 1];
		892	if (copy_from_user(tb, user_buffer, copy))
892	return -EFAULT;	893	return -EFAULT;
893	tb[count] = 0;	894	tb[copy] = 0;
894	printk(KERN_DEBUG "pktgen: %s,%lu buffer -:%s:-\n", name,	895	printk(KERN_DEBUG "pktgen: %s,%lu buffer -:%s:-\n", name,
895	(unsigned long)count, tb);	896	(unsigned long)count, tb);
896	}	897	}