diff options
author | Al Viro <viro@ftp.linux.org.uk> | 2008-05-21 06:32:11 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-21 16:55:59 -0700 |
commit | 79bc12a0a09c2eb1ccbb01c192045f994567bda2 (patch) | |
tree | 184c0e98c967f12b3805ebfbf9c69e6043ca6eb7 /fs/ecryptfs | |
parent | 4ec7ffa2df247054d422b48148ad82369a45e986 (diff) | |
download | kernel_samsung_espresso10-79bc12a0a09c2eb1ccbb01c192045f994567bda2.zip kernel_samsung_espresso10-79bc12a0a09c2eb1ccbb01c192045f994567bda2.tar.gz kernel_samsung_espresso10-79bc12a0a09c2eb1ccbb01c192045f994567bda2.tar.bz2 |
ecryptfs fixes
memcpy() from userland pointer is a Bad Thing(tm)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/ecryptfs')
-rw-r--r-- | fs/ecryptfs/miscdev.c | 26 |
1 files changed, 12 insertions, 14 deletions
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c index 6560da1..50c994a 100644 --- a/fs/ecryptfs/miscdev.c +++ b/fs/ecryptfs/miscdev.c @@ -243,7 +243,6 @@ ecryptfs_miscdev_read(struct file *file, char __user *buf, size_t count, struct ecryptfs_daemon *daemon; struct ecryptfs_msg_ctx *msg_ctx; size_t packet_length_size; - u32 counter_nbo; char packet_length[3]; size_t i; size_t total_length; @@ -328,20 +327,18 @@ check_list: "pending message\n", __func__, count, total_length); goto out_unlock_msg_ctx; } - i = 0; - buf[i++] = msg_ctx->type; - counter_nbo = cpu_to_be32(msg_ctx->counter); - memcpy(&buf[i], (char *)&counter_nbo, 4); - i += 4; + rc = -EFAULT; + if (put_user(msg_ctx->type, buf)) + goto out_unlock_msg_ctx; + if (put_user(cpu_to_be32(msg_ctx->counter), (__be32 __user *)(buf + 1))) + goto out_unlock_msg_ctx; + i = 5; if (msg_ctx->msg) { - memcpy(&buf[i], packet_length, packet_length_size); + if (copy_to_user(&buf[i], packet_length, packet_length_size)) + goto out_unlock_msg_ctx; i += packet_length_size; - rc = copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size); - if (rc) { - printk(KERN_ERR "%s: copy_to_user returned error " - "[%d]\n", __func__, rc); + if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) goto out_unlock_msg_ctx; - } i += msg_ctx->msg_size; } rc = i; @@ -452,7 +449,8 @@ static ssize_t ecryptfs_miscdev_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - u32 counter_nbo, seq; + __be32 counter_nbo; + u32 seq; size_t packet_size, packet_size_length, i; ssize_t sz = 0; char *data; @@ -485,7 +483,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf, count); goto out_free; } - memcpy((char *)&counter_nbo, &data[i], 4); + memcpy(&counter_nbo, &data[i], 4); seq = be32_to_cpu(counter_nbo); i += 4; rc = ecryptfs_parse_packet_length(&data[i], &packet_size, |