* [PATCH] check copy_to_user return value in raw1394
@ 2004-10-10 0:12 Jesper Juhl
2004-10-10 0:22 ` Jesper Juhl
0 siblings, 1 reply; 4+ messages in thread
From: Jesper Juhl @ 2004-10-10 0:12 UTC (permalink / raw)
To: linux-kernel
Here's a proposed patch to make sure we check the return value of
copy_to_user in raw1394.c::raw1394_read
I've changed __copy_to_user into copy_to_user since I don't see where we
would otherwhise be doing the access_ok checking...
Please review this patch before applying.
Signed-off-by: Jesper Juhl <juhl-lkml@dif.dk>
diff -up linux-2.6.9-rc3-bk9-orig/drivers/ieee1394/raw1394.c linux-2.6.9-rc3-bk9/drivers/ieee1394/raw1394.c
--- linux-2.6.9-rc3-bk9-orig/drivers/ieee1394/raw1394.c 2004-09-30 05:03:45.000000000 +0200
+++ linux-2.6.9-rc3-bk9/drivers/ieee1394/raw1394.c 2004-10-10 02:05:54.000000000 +0200
@@ -411,6 +411,7 @@ static ssize_t raw1394_read(struct file
struct file_info *fi = (struct file_info *)file->private_data;
struct list_head *lh;
struct pending_request *req;
+ ssize_t ret;
if (count != sizeof(struct raw1394_request)) {
return -EINVAL;
@@ -443,10 +444,15 @@ static ssize_t raw1394_read(struct file
req->req.error = RAW1394_ERROR_MEMFAULT;
}
}
- __copy_to_user(buffer, &req->req, sizeof(req->req));
+ if(copy_to_user(buffer, &req->req, sizeof(req->req))) {
+ ret = -EFAULT;
+ goto out;
+ }
+ ret = (ssize_t)sizeof(struct raw1394_request);
+out:
free_pending_request(req);
- return sizeof(struct raw1394_request);
+ return ret;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] check copy_to_user return value in raw1394
2004-10-10 0:22 ` Jesper Juhl
@ 2004-10-10 0:18 ` Randy.Dunlap
2004-10-10 2:29 ` Jesper Juhl
0 siblings, 1 reply; 4+ messages in thread
From: Randy.Dunlap @ 2004-10-10 0:18 UTC (permalink / raw)
To: Jesper Juhl; +Cc: linux-kernel
Jesper Juhl wrote:
> On Sun, 10 Oct 2004, Jesper Juhl wrote:
>
>
>>Here's a proposed patch to make sure we check the return value of
>>copy_to_user in raw1394.c::raw1394_read
>
>
>
> Whoops, I made an error when I set the From: address on this mail. If you
> reply to this then please use juhl-lkml as the address if you want me to
> see your reply.
How about sending it to:
IEEE 1394 SUBSYSTEM
P: Ben Collins
M: bcollins@debian.org
L: linux1394-devel@lists.sourceforge.net
W: http://www.linux1394.org/
S: Maintained
and change "if(" to "if (" ...
--
~Randy
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] check copy_to_user return value in raw1394
2004-10-10 0:12 [PATCH] check copy_to_user return value in raw1394 Jesper Juhl
@ 2004-10-10 0:22 ` Jesper Juhl
2004-10-10 0:18 ` Randy.Dunlap
0 siblings, 1 reply; 4+ messages in thread
From: Jesper Juhl @ 2004-10-10 0:22 UTC (permalink / raw)
To: linux-kernel
On Sun, 10 Oct 2004, Jesper Juhl wrote:
>
> Here's a proposed patch to make sure we check the return value of
> copy_to_user in raw1394.c::raw1394_read
Whoops, I made an error when I set the From: address on this mail. If you
reply to this then please use juhl-lkml as the address if you want me to
see your reply.
--
Jesper Juhl <juhl-lkml@dif.dk>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] check copy_to_user return value in raw1394
2004-10-10 0:18 ` Randy.Dunlap
@ 2004-10-10 2:29 ` Jesper Juhl
0 siblings, 0 replies; 4+ messages in thread
From: Jesper Juhl @ 2004-10-10 2:29 UTC (permalink / raw)
To: Randy.Dunlap; +Cc: linux-kernel, Ben Collins, linux1394-devel
On Sat, 9 Oct 2004, Randy.Dunlap wrote:
> Jesper Juhl wrote:
> > On Sun, 10 Oct 2004, Jesper Juhl wrote:
> >
> >
> > > Here's a proposed patch to make sure we check the return value of
> > > copy_to_user in raw1394.c::raw1394_read
> >
>
> How about sending it to:
>
> IEEE 1394 SUBSYSTEM
> P: Ben Collins
> M: bcollins@debian.org
> L: linux1394-devel@lists.sourceforge.net
> W: http://www.linux1394.org/
> S: Maintained
>
Right, I should probably do that... Added as a recipient on this mail...
> and change "if(" to "if (" ...
>
Done.
Here's a revised patch :
Jesper Juhl <juhl-lkml@dif.dk>
diff -up linux-2.6.9-rc3-bk9-orig/drivers/ieee1394/raw1394.c linux-2.6.9-rc3-bk9/drivers/ieee1394/raw1394.c
--- linux-2.6.9-rc3-bk9-orig/drivers/ieee1394/raw1394.c 2004-09-30 05:03:45.000000000 +0200
+++ linux-2.6.9-rc3-bk9/drivers/ieee1394/raw1394.c 2004-10-10 04:24:57.000000000 +0200
@@ -411,6 +411,7 @@ static ssize_t raw1394_read(struct file
struct file_info *fi = (struct file_info *)file->private_data;
struct list_head *lh;
struct pending_request *req;
+ ssize_t ret;
if (count != sizeof(struct raw1394_request)) {
return -EINVAL;
@@ -443,10 +444,15 @@ static ssize_t raw1394_read(struct file
req->req.error = RAW1394_ERROR_MEMFAULT;
}
}
- __copy_to_user(buffer, &req->req, sizeof(req->req));
+ if (copy_to_user(buffer, &req->req, sizeof(req->req))) {
+ ret = -EFAULT;
+ goto out;
+ }
+ ret = (ssize_t)sizeof(struct raw1394_request);
+out:
free_pending_request(req);
- return sizeof(struct raw1394_request);
+ return ret;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-10-10 2:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-10 0:12 [PATCH] check copy_to_user return value in raw1394 Jesper Juhl
2004-10-10 0:22 ` Jesper Juhl
2004-10-10 0:18 ` Randy.Dunlap
2004-10-10 2:29 ` Jesper Juhl
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox