[PATCH] ISDN: check for userspace copy faults
Most of the ISDN ->readstat() implementations needed to check copy_to_user() and put_user() return values. Signed-off-by: Jeff Garzik <jeff@garzik.org> Cc: Karsten Keil <kkeil@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
04518bfe8e
commit
7786ce192f
|
@ -1907,7 +1907,8 @@ static int if_readstat(u8 __user *buf, int len, int id, int channel)
|
||||||
}
|
}
|
||||||
|
|
||||||
for (p=buf, count=0; count < len; p++, count++) {
|
for (p=buf, count=0; count < len; p++, count++) {
|
||||||
put_user(*card->q931_read++, p);
|
if (put_user(*card->q931_read++, p))
|
||||||
|
return -EFAULT;
|
||||||
if (card->q931_read > card->q931_end)
|
if (card->q931_read > card->q931_end)
|
||||||
card->q931_read = card->q931_buf;
|
card->q931_read = card->q931_buf;
|
||||||
}
|
}
|
||||||
|
|
|
@ -631,7 +631,8 @@ static int HiSax_readstatus(u_char __user *buf, int len, int id, int channel)
|
||||||
count = cs->status_end - cs->status_read + 1;
|
count = cs->status_end - cs->status_read + 1;
|
||||||
if (count >= len)
|
if (count >= len)
|
||||||
count = len;
|
count = len;
|
||||||
copy_to_user(p, cs->status_read, count);
|
if (copy_to_user(p, cs->status_read, count))
|
||||||
|
return -EFAULT;
|
||||||
cs->status_read += count;
|
cs->status_read += count;
|
||||||
if (cs->status_read > cs->status_end)
|
if (cs->status_read > cs->status_end)
|
||||||
cs->status_read = cs->status_buf;
|
cs->status_read = cs->status_buf;
|
||||||
|
@ -642,7 +643,8 @@ static int HiSax_readstatus(u_char __user *buf, int len, int id, int channel)
|
||||||
cnt = HISAX_STATUS_BUFSIZE;
|
cnt = HISAX_STATUS_BUFSIZE;
|
||||||
else
|
else
|
||||||
cnt = count;
|
cnt = count;
|
||||||
copy_to_user(p, cs->status_read, cnt);
|
if (copy_to_user(p, cs->status_read, cnt))
|
||||||
|
return -EFAULT;
|
||||||
p += cnt;
|
p += cnt;
|
||||||
cs->status_read += cnt % HISAX_STATUS_BUFSIZE;
|
cs->status_read += cnt % HISAX_STATUS_BUFSIZE;
|
||||||
count -= cnt;
|
count -= cnt;
|
||||||
|
|
|
@ -1010,7 +1010,8 @@ icn_readstatus(u_char __user *buf, int len, icn_card * card)
|
||||||
for (p = buf, count = 0; count < len; p++, count++) {
|
for (p = buf, count = 0; count < len; p++, count++) {
|
||||||
if (card->msg_buf_read == card->msg_buf_write)
|
if (card->msg_buf_read == card->msg_buf_write)
|
||||||
return count;
|
return count;
|
||||||
put_user(*card->msg_buf_read++, p);
|
if (put_user(*card->msg_buf_read++, p))
|
||||||
|
return -EFAULT;
|
||||||
if (card->msg_buf_read > card->msg_buf_end)
|
if (card->msg_buf_read > card->msg_buf_end)
|
||||||
card->msg_buf_read = card->msg_buf;
|
card->msg_buf_read = card->msg_buf;
|
||||||
}
|
}
|
||||||
|
|
|
@ -446,7 +446,8 @@ isdnloop_readstatus(u_char __user *buf, int len, isdnloop_card * card)
|
||||||
for (p = buf, count = 0; count < len; p++, count++) {
|
for (p = buf, count = 0; count < len; p++, count++) {
|
||||||
if (card->msg_buf_read == card->msg_buf_write)
|
if (card->msg_buf_read == card->msg_buf_write)
|
||||||
return count;
|
return count;
|
||||||
put_user(*card->msg_buf_read++, p);
|
if (put_user(*card->msg_buf_read++, p))
|
||||||
|
return -EFAULT;
|
||||||
if (card->msg_buf_read > card->msg_buf_end)
|
if (card->msg_buf_read > card->msg_buf_end)
|
||||||
card->msg_buf_read = card->msg_buf;
|
card->msg_buf_read = card->msg_buf;
|
||||||
}
|
}
|
||||||
|
|
|
@ -725,23 +725,27 @@ static int pcbit_stat(u_char __user *buf, int len, int driver, int channel)
|
||||||
|
|
||||||
if (stat_st < stat_end)
|
if (stat_st < stat_end)
|
||||||
{
|
{
|
||||||
copy_to_user(buf, statbuf + stat_st, len);
|
if (copy_to_user(buf, statbuf + stat_st, len))
|
||||||
|
return -EFAULT;
|
||||||
stat_st += len;
|
stat_st += len;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if (len > STATBUF_LEN - stat_st)
|
if (len > STATBUF_LEN - stat_st)
|
||||||
{
|
{
|
||||||
copy_to_user(buf, statbuf + stat_st,
|
if (copy_to_user(buf, statbuf + stat_st,
|
||||||
STATBUF_LEN - stat_st);
|
STATBUF_LEN - stat_st))
|
||||||
copy_to_user(buf, statbuf,
|
return -EFAULT;
|
||||||
len - (STATBUF_LEN - stat_st));
|
if (copy_to_user(buf, statbuf,
|
||||||
|
len - (STATBUF_LEN - stat_st)))
|
||||||
|
return -EFAULT;
|
||||||
|
|
||||||
stat_st = len - (STATBUF_LEN - stat_st);
|
stat_st = len - (STATBUF_LEN - stat_st);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
copy_to_user(buf, statbuf + stat_st, len);
|
if (copy_to_user(buf, statbuf + stat_st, len))
|
||||||
|
return -EFAULT;
|
||||||
|
|
||||||
stat_st += len;
|
stat_st += len;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue