NFC: Copy user space buffer when sending UI frames
Using the userspace IO vector directly is wrong, we should copy it from user space first. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
This commit is contained in:
parent
08eaa1e0ce
commit
6e950fd214
|
@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
|
||||||
struct sk_buff *pdu;
|
struct sk_buff *pdu;
|
||||||
struct nfc_llcp_local *local;
|
struct nfc_llcp_local *local;
|
||||||
size_t frag_len = 0, remaining_len;
|
size_t frag_len = 0, remaining_len;
|
||||||
u8 *msg_ptr;
|
u8 *msg_ptr, *msg_data;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
pr_debug("Send UI frame len %zd\n", len);
|
pr_debug("Send UI frame len %zd\n", len);
|
||||||
|
@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
|
||||||
if (local == NULL)
|
if (local == NULL)
|
||||||
return -ENODEV;
|
return -ENODEV;
|
||||||
|
|
||||||
|
msg_data = kzalloc(len, GFP_KERNEL);
|
||||||
|
if (msg_data == NULL)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) {
|
||||||
|
kfree(msg_data);
|
||||||
|
return -EFAULT;
|
||||||
|
}
|
||||||
|
|
||||||
remaining_len = len;
|
remaining_len = len;
|
||||||
msg_ptr = (u8 *) msg->msg_iov;
|
msg_ptr = msg_data;
|
||||||
|
|
||||||
while (remaining_len > 0) {
|
while (remaining_len > 0) {
|
||||||
|
|
||||||
|
@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
|
||||||
msg_ptr += frag_len;
|
msg_ptr += frag_len;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
kfree(msg_data);
|
||||||
|
|
||||||
return len;
|
return len;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue