redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity

NFC: Copy user space buffer when sending UI frames

Browse source 
Using the userspace IO vector directly is wrong, we should copy it from
user space first.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
This commit is contained in:
Samuel Ortiz 2012-10-29 14:02:17 +01:00
parent 08eaa1e0ce
commit 6e950fd214
1 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
net/nfc/llcp/commands.c
View file

@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
struct sk_buff *pdu; struct sk_buff *pdu;
struct nfc_llcp_local *local; struct nfc_llcp_local *local;
size_t frag_len = 0, remaining_len; size_t frag_len = 0, remaining_len;
u8 *msg_ptr; u8 *msg_ptr, *msg_data;
int err; int err;
pr_debug("Send UI frame len %zd\n", len); pr_debug("Send UI frame len %zd\n", len);
@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
if (local == NULL) if (local == NULL)
return -ENODEV; return -ENODEV;
msg_data = kzalloc(len, GFP_KERNEL);
if (msg_data == NULL)
return -ENOMEM;
if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) {
kfree(msg_data);
return -EFAULT;
}
remaining_len = len; remaining_len = len;
msg_ptr = (u8 *) msg->msg_iov; msg_ptr = msg_data;
while (remaining_len > 0) { while (remaining_len > 0) {
@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
msg_ptr += frag_len; msg_ptr += frag_len;
} }
kfree(msg_data);
return len; return len;
} }