Re: Misc 2.5 Fixes: cp-user-mdc800

From: Dipankar Sarma (dipankar@in.ibm.com)
Date: Tue Jun 10 2003 - 05:13:18 EST

Next message: Joshua Kwan: "Re: Misc 2.5 Fixes: Summary"
Previous message: Dipankar Sarma: "Re: Misc 2.5 Fixes: cp-user-intermezzo"
In reply to: Dipankar Sarma: "Re: Misc 2.5 Fixes: cp-user-intermezzo"
Next in thread: Dipankar Sarma: "Re: Misc 2.5 Fixes: cp-user-mpu401"
Reply: Dipankar Sarma: "Re: Misc 2.5 Fixes: cp-user-mpu401"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Use copy_to_user/get_char with user buffers.

drivers/usb/image/mdc800.c | 22 +++++++++++++++-------
1 files changed, 15 insertions(+), 7 deletions(-)

diff -puN drivers/usb/image/mdc800.c~cp-user-mdc800 drivers/usb/image/mdc800.c
--- linux-2.5.70-ds/drivers/usb/image/mdc800.c~cp-user-mdc800 2003-06-08 03:13:41.000000000 +0530
+++ linux-2.5.70-ds-dipankar/drivers/usb/image/mdc800.c 2003-06-08 03:21:18.000000000 +0530
@@ -748,8 +748,10 @@ static ssize_t mdc800_device_read (struc
                 }
                 else
                 {
- /* memcpy Bytes */
- memcpy (ptr, &mdc800->out [mdc800->out_ptr], sts);
+ /* Copy Bytes */
+ if (copy_to_user(ptr,
+ &mdc800->out [mdc800->out_ptr], sts))
+ return -EFAULT;
                         ptr+=sts;
                         left-=sts;
                         mdc800->out_ptr+=sts;
@@ -786,14 +788,21 @@ static ssize_t mdc800_device_write (stru

         while (i<len)
         {
+ unsigned char c;
                 if (signal_pending (current))
                 {
                         up (&mdc800->io_lock);
                         return -EINTR;
                 }
+
+ if(get_user(c, buf+i))
+ {
+ up(&mdc800->io_lock);
+ return -EFAULT;
+ }

                 /* check for command start */
- if (buf [i] == (char) 0x55)
+ if (c == 0x55)
                 {
                         mdc800->in_count=0;
                         mdc800->out_count=0;
@@ -804,12 +813,11 @@ static ssize_t mdc800_device_write (stru
                 /* save command byte */
                 if (mdc800->in_count < 8)
                 {
- mdc800->in[mdc800->in_count]=buf[i];
+ mdc800->in[mdc800->in_count] = c;
                         mdc800->in_count++;
                 }
                 else
                 {
- err ("Command is too long !\n");
                         up (&mdc800->io_lock);
                         return -EIO;
                 }
@@ -884,8 +892,8 @@ static ssize_t mdc800_device_write (stru
                                                         return -EIO;
                                                 }

- /* Write dummy data, (this is ugly but part of the USB Protokoll */
- /* if you use endpoint 1 as bulk and not as irq */
+ /* Write dummy data, (this is ugly but part of the USB Protocol */
+ /* if you use endpoint 1 as bulk and not as irq) */
                                                 memcpy (mdc800->out, mdc800->camera_response,8);

                                                 /* This is the interpreted answer */

_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Joshua Kwan: "Re: Misc 2.5 Fixes: Summary"
Previous message: Dipankar Sarma: "Re: Misc 2.5 Fixes: cp-user-intermezzo"
In reply to: Dipankar Sarma: "Re: Misc 2.5 Fixes: cp-user-intermezzo"
Next in thread: Dipankar Sarma: "Re: Misc 2.5 Fixes: cp-user-mpu401"
Reply: Dipankar Sarma: "Re: Misc 2.5 Fixes: cp-user-mpu401"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Jun 15 2003 - 22:00:23 EST