diff options
Diffstat (limited to 'net/econet/af_econet.c')
-rw-r--r-- | net/econet/af_econet.c | 91 |
1 files changed, 42 insertions, 49 deletions
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index f8c1ae4b41f0..13992e1d2726 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c | |||
@@ -31,6 +31,7 @@ | |||
31 | #include <linux/skbuff.h> | 31 | #include <linux/skbuff.h> |
32 | #include <linux/udp.h> | 32 | #include <linux/udp.h> |
33 | #include <linux/slab.h> | 33 | #include <linux/slab.h> |
34 | #include <linux/vmalloc.h> | ||
34 | #include <net/sock.h> | 35 | #include <net/sock.h> |
35 | #include <net/inet_common.h> | 36 | #include <net/inet_common.h> |
36 | #include <linux/stat.h> | 37 | #include <linux/stat.h> |
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
276 | #endif | 277 | #endif |
277 | #ifdef CONFIG_ECONET_AUNUDP | 278 | #ifdef CONFIG_ECONET_AUNUDP |
278 | struct msghdr udpmsg; | 279 | struct msghdr udpmsg; |
279 | struct iovec iov[msg->msg_iovlen+1]; | 280 | struct iovec iov[2]; |
280 | struct aunhdr ah; | 281 | struct aunhdr ah; |
281 | struct sockaddr_in udpdest; | 282 | struct sockaddr_in udpdest; |
282 | __kernel_size_t size; | 283 | __kernel_size_t size; |
283 | int i; | ||
284 | mm_segment_t oldfs; | 284 | mm_segment_t oldfs; |
285 | char *userbuf; | ||
285 | #endif | 286 | #endif |
286 | 287 | ||
287 | /* | 288 | /* |
@@ -297,23 +298,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
297 | 298 | ||
298 | mutex_lock(&econet_mutex); | 299 | mutex_lock(&econet_mutex); |
299 | 300 | ||
300 | if (saddr == NULL) { | 301 | if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) { |
301 | struct econet_sock *eo = ec_sk(sk); | 302 | mutex_unlock(&econet_mutex); |
302 | 303 | return -EINVAL; | |
303 | addr.station = eo->station; | 304 | } |
304 | addr.net = eo->net; | 305 | addr.station = saddr->addr.station; |
305 | port = eo->port; | 306 | addr.net = saddr->addr.net; |
306 | cb = eo->cb; | 307 | port = saddr->port; |
307 | } else { | 308 | cb = saddr->cb; |
308 | if (msg->msg_namelen < sizeof(struct sockaddr_ec)) { | ||
309 | mutex_unlock(&econet_mutex); | ||
310 | return -EINVAL; | ||
311 | } | ||
312 | addr.station = saddr->addr.station; | ||
313 | addr.net = saddr->addr.net; | ||
314 | port = saddr->port; | ||
315 | cb = saddr->cb; | ||
316 | } | ||
317 | 309 | ||
318 | /* Look for a device with the right network number. */ | 310 | /* Look for a device with the right network number. */ |
319 | dev = net2dev_map[addr.net]; | 311 | dev = net2dev_map[addr.net]; |
@@ -328,17 +320,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
328 | } | 320 | } |
329 | } | 321 | } |
330 | 322 | ||
331 | if (len + 15 > dev->mtu) { | ||
332 | mutex_unlock(&econet_mutex); | ||
333 | return -EMSGSIZE; | ||
334 | } | ||
335 | |||
336 | if (dev->type == ARPHRD_ECONET) { | 323 | if (dev->type == ARPHRD_ECONET) { |
337 | /* Real hardware Econet. We're not worthy etc. */ | 324 | /* Real hardware Econet. We're not worthy etc. */ |
338 | #ifdef CONFIG_ECONET_NATIVE | 325 | #ifdef CONFIG_ECONET_NATIVE |
339 | unsigned short proto = 0; | 326 | unsigned short proto = 0; |
340 | int res; | 327 | int res; |
341 | 328 | ||
329 | if (len + 15 > dev->mtu) { | ||
330 | mutex_unlock(&econet_mutex); | ||
331 | return -EMSGSIZE; | ||
332 | } | ||
333 | |||
342 | dev_hold(dev); | 334 | dev_hold(dev); |
343 | 335 | ||
344 | skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev), | 336 | skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev), |
@@ -351,7 +343,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
351 | 343 | ||
352 | eb = (struct ec_cb *)&skb->cb; | 344 | eb = (struct ec_cb *)&skb->cb; |
353 | 345 | ||
354 | /* BUG: saddr may be NULL */ | ||
355 | eb->cookie = saddr->cookie; | 346 | eb->cookie = saddr->cookie; |
356 | eb->sec = *saddr; | 347 | eb->sec = *saddr; |
357 | eb->sent = ec_tx_done; | 348 | eb->sent = ec_tx_done; |
@@ -415,6 +406,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
415 | return -ENETDOWN; /* No socket - can't send */ | 406 | return -ENETDOWN; /* No socket - can't send */ |
416 | } | 407 | } |
417 | 408 | ||
409 | if (len > 32768) { | ||
410 | err = -E2BIG; | ||
411 | goto error; | ||
412 | } | ||
413 | |||
418 | /* Make up a UDP datagram and hand it off to some higher intellect. */ | 414 | /* Make up a UDP datagram and hand it off to some higher intellect. */ |
419 | 415 | ||
420 | memset(&udpdest, 0, sizeof(udpdest)); | 416 | memset(&udpdest, 0, sizeof(udpdest)); |
@@ -446,36 +442,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
446 | 442 | ||
447 | /* tack our header on the front of the iovec */ | 443 | /* tack our header on the front of the iovec */ |
448 | size = sizeof(struct aunhdr); | 444 | size = sizeof(struct aunhdr); |
449 | /* | ||
450 | * XXX: that is b0rken. We can't mix userland and kernel pointers | ||
451 | * in iovec, since on a lot of platforms copy_from_user() will | ||
452 | * *not* work with the kernel and userland ones at the same time, | ||
453 | * regardless of what we do with set_fs(). And we are talking about | ||
454 | * econet-over-ethernet here, so "it's only ARM anyway" doesn't | ||
455 | * apply. Any suggestions on fixing that code? -- AV | ||
456 | */ | ||
457 | iov[0].iov_base = (void *)&ah; | 445 | iov[0].iov_base = (void *)&ah; |
458 | iov[0].iov_len = size; | 446 | iov[0].iov_len = size; |
459 | for (i = 0; i < msg->msg_iovlen; i++) { | 447 | |
460 | void __user *base = msg->msg_iov[i].iov_base; | 448 | userbuf = vmalloc(len); |
461 | size_t iov_len = msg->msg_iov[i].iov_len; | 449 | if (userbuf == NULL) { |
462 | /* Check it now since we switch to KERNEL_DS later. */ | 450 | err = -ENOMEM; |
463 | if (!access_ok(VERIFY_READ, base, iov_len)) { | 451 | goto error; |
464 | mutex_unlock(&econet_mutex); | ||
465 | return -EFAULT; | ||
466 | } | ||
467 | iov[i+1].iov_base = base; | ||
468 | iov[i+1].iov_len = iov_len; | ||
469 | size += iov_len; | ||
470 | } | 452 | } |
471 | 453 | ||
454 | iov[1].iov_base = userbuf; | ||
455 | iov[1].iov_len = len; | ||
456 | err = memcpy_fromiovec(userbuf, msg->msg_iov, len); | ||
457 | if (err) | ||
458 | goto error_free_buf; | ||
459 | |||
472 | /* Get a skbuff (no data, just holds our cb information) */ | 460 | /* Get a skbuff (no data, just holds our cb information) */ |
473 | if ((skb = sock_alloc_send_skb(sk, 0, | 461 | if ((skb = sock_alloc_send_skb(sk, 0, |
474 | msg->msg_flags & MSG_DONTWAIT, | 462 | msg->msg_flags & MSG_DONTWAIT, |
475 | &err)) == NULL) { | 463 | &err)) == NULL) |
476 | mutex_unlock(&econet_mutex); | 464 | goto error_free_buf; |
477 | return err; | ||
478 | } | ||
479 | 465 | ||
480 | eb = (struct ec_cb *)&skb->cb; | 466 | eb = (struct ec_cb *)&skb->cb; |
481 | 467 | ||
@@ -491,7 +477,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
491 | udpmsg.msg_name = (void *)&udpdest; | 477 | udpmsg.msg_name = (void *)&udpdest; |
492 | udpmsg.msg_namelen = sizeof(udpdest); | 478 | udpmsg.msg_namelen = sizeof(udpdest); |
493 | udpmsg.msg_iov = &iov[0]; | 479 | udpmsg.msg_iov = &iov[0]; |
494 | udpmsg.msg_iovlen = msg->msg_iovlen + 1; | 480 | udpmsg.msg_iovlen = 2; |
495 | udpmsg.msg_control = NULL; | 481 | udpmsg.msg_control = NULL; |
496 | udpmsg.msg_controllen = 0; | 482 | udpmsg.msg_controllen = 0; |
497 | udpmsg.msg_flags=0; | 483 | udpmsg.msg_flags=0; |
@@ -499,9 +485,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
499 | oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */ | 485 | oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */ |
500 | err = sock_sendmsg(udpsock, &udpmsg, size); | 486 | err = sock_sendmsg(udpsock, &udpmsg, size); |
501 | set_fs(oldfs); | 487 | set_fs(oldfs); |
488 | |||
489 | error_free_buf: | ||
490 | vfree(userbuf); | ||
502 | #else | 491 | #else |
503 | err = -EPROTOTYPE; | 492 | err = -EPROTOTYPE; |
504 | #endif | 493 | #endif |
494 | error: | ||
505 | mutex_unlock(&econet_mutex); | 495 | mutex_unlock(&econet_mutex); |
506 | 496 | ||
507 | return err; | 497 | return err; |
@@ -671,6 +661,9 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg) | |||
671 | err = 0; | 661 | err = 0; |
672 | switch (cmd) { | 662 | switch (cmd) { |
673 | case SIOCSIFADDR: | 663 | case SIOCSIFADDR: |
664 | if (!capable(CAP_NET_ADMIN)) | ||
665 | return -EPERM; | ||
666 | |||
674 | edev = dev->ec_ptr; | 667 | edev = dev->ec_ptr; |
675 | if (edev == NULL) { | 668 | if (edev == NULL) { |
676 | /* Magic up a new one. */ | 669 | /* Magic up a new one. */ |