[PATCH 1/6] cifs: copy_to_user and copy_from_user fixes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pekka Enberg <penberg@cs.helsinki.fi>
To: sfrench@samba.org
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH 1/6] cifs: copy_to_user and copy_from_user fixes
Date: Sat, 15 Jan 2005 15:25:46 +0200	[thread overview]
Message-ID: <1105795546.9555.2.camel@localhost> (raw)

Check return value for copy_to_user() and copy_from_user().

Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
---

 cifssmb.c |   37 ++++++++++++++++++++++---------------
 file.c    |    6 +++++-
 2 files changed, 27 insertions(+), 16 deletions(-)

Index: linux/fs/cifs/cifssmb.c
===================================================================
--- linux.orig/fs/cifs/cifssmb.c	2005-01-12 19:43:26.012611064 +0200
+++ linux/fs/cifs/cifssmb.c	2005-01-12 20:03:29.307682408 +0200
@@ -886,25 +886,29 @@
 	pSMB->Reserved = 0xFFFFFFFF;
 	pSMB->WriteMode = 0;
 	pSMB->Remaining = 0;
-	/* BB can relax this if buffer is big enough in some cases - ie we can 
-	send more  if LARGE_WRITE_X capability returned by the server and if
-	our buffer is big enough or if we convert to iovecs on socket writes
-	and eliminate the copy to the CIFS buffer */
+	/*
+	 * BB can relax this if buffer is big enough in some cases - ie we can 
+	 * send more  if LARGE_WRITE_X capability returned by the server and if
+	 * our buffer is big enough or if we convert to iovecs on socket writes
+	 * and eliminate the copy to the CIFS buffer
+	 */
 	bytes_sent = (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE) & ~0xFF;
 	if (bytes_sent > count)
 		bytes_sent = count;
 	pSMB->DataLengthHigh = 0;
 	pSMB->DataOffset =
 	    cpu_to_le16(offsetof(struct smb_com_write_req,Data) - 4);
-    if(buf)
-	    memcpy(pSMB->Data,buf,bytes_sent);
-	else if(ubuf)
-		copy_from_user(pSMB->Data,ubuf,bytes_sent);
-    else {
-		/* No buffer */
-		if(pSMB)
-			cifs_buf_release(pSMB);
-		return -EINVAL;
+
+	if (buf)
+		memcpy(pSMB->Data, buf, bytes_sent);
+	else if (ubuf) {
+		if (copy_from_user(pSMB->Data, ubuf, bytes_sent)) {
+			rc = -EFAULT;
+			goto out_release;
+		}
+	} else {
+		rc = -EINVAL;
+		goto out_release;
 	}
 
 	byte_count = bytes_sent + 1 /* pad */ ;
@@ -921,11 +925,14 @@
 	} else
 		*nbytes = le16_to_cpu(pSMBr->Count);
 
+ out_release:
 	if (pSMB)
 		cifs_buf_release(pSMB);
 
-	/* Note: On -EAGAIN error only caller can retry on handle based calls 
-		since file handle passed in no longer valid */
+	/*
+	 * Note: On -EAGAIN error only caller can retry on handle based calls
+	 * since file handle passed in no longer valid
+	 */
 
 	return rc;
 }
Index: linux/fs/cifs/file.c
===================================================================
--- linux.orig/fs/cifs/file.c	2005-01-12 19:43:26.018610152 +0200
+++ linux/fs/cifs/file.c	2005-01-12 20:02:29.110833720 +0200
@@ -1165,8 +1165,12 @@
 				 &bytes_read, &smb_read_data);
 
 			pSMBr = (struct smb_com_read_rsp *)smb_read_data;
-			copy_to_user(current_offset,smb_read_data + 4/* RFC1001 hdr*/
+			rc = copy_to_user(current_offset, smb_read_data + 4 /* RFC1001 hdr */
 				+ le16_to_cpu(pSMBr->DataOffset), bytes_read);
+			if (rc) {
+				FreeXid(xid);
+				return -EFAULT;
+			}
 			if(smb_read_data) {
 				cifs_buf_release(smb_read_data);
 				smb_read_data = NULL;

next             reply	other threads:[~2005-01-15 13:26 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-15 13:25 Pekka Enberg [this message]
2005-01-15 13:26 ` [PATCH 2/6] cifs: remove dead code Pekka Enberg
2005-01-15 13:28   ` [PATCH 3/6] cifs: enum conversion Pekka Enberg
2005-01-15 13:29     ` [PATCH 4/6] cifs: remove spurious casts Pekka Enberg
2005-01-15 13:30       ` [PATCH 5/6] cifs: reduce deep nesting Pekka Enberg
2005-01-15 13:31         ` [PATCH 6/6] cifs: convert schedule_timeout to msleep and ssleep Pekka Enberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1105795546.9555.2.camel@localhost \
    --to=penberg@cs.helsinki.fi \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sfrench@samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.