[PATCH 1/6] cifs: copy_to_user and copy_from_user fixes

From: Pekka Enberg
Date: Sat Jan 15 2005 - 08:29:14 EST

Next message: Pekka Enberg: "[PATCH 2/6] cifs: remove dead code"
Previous message: Neetu Lamba: "Re: Notice again (automatic reply (back on 17 January 2005))"
Next in thread: Pekka Enberg: "[PATCH 2/6] cifs: remove dead code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Check return value for copy_to_user() and copy_from_user().

Signed-off-by: Pekka Enberg <penberg@xxxxxxxxxxxxxx>
---

cifssmb.c | 37 ++++++++++++++++++++++---------------
file.c | 6 +++++-
2 files changed, 27 insertions(+), 16 deletions(-)

Index: linux/fs/cifs/cifssmb.c
===================================================================
--- linux.orig/fs/cifs/cifssmb.c 2005-01-12 19:43:26.012611064 +0200
+++ linux/fs/cifs/cifssmb.c 2005-01-12 20:03:29.307682408 +0200
@@ -886,25 +886,29 @@
pSMB->Reserved = 0xFFFFFFFF;
pSMB->WriteMode = 0;
pSMB->Remaining = 0;
- /* BB can relax this if buffer is big enough in some cases - ie we can
- send more if LARGE_WRITE_X capability returned by the server and if
- our buffer is big enough or if we convert to iovecs on socket writes
- and eliminate the copy to the CIFS buffer */
+ /*
+ * BB can relax this if buffer is big enough in some cases - ie we can
+ * send more if LARGE_WRITE_X capability returned by the server and if
+ * our buffer is big enough or if we convert to iovecs on socket writes
+ * and eliminate the copy to the CIFS buffer
+ */
bytes_sent = (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE) & ~0xFF;
if (bytes_sent > count)
bytes_sent = count;
pSMB->DataLengthHigh = 0;
pSMB->DataOffset =
cpu_to_le16(offsetof(struct smb_com_write_req,Data) - 4);
- if(buf)
- memcpy(pSMB->Data,buf,bytes_sent);
- else if(ubuf)
- copy_from_user(pSMB->Data,ubuf,bytes_sent);
- else {
- /* No buffer */
- if(pSMB)
- cifs_buf_release(pSMB);
- return -EINVAL;
+
+ if (buf)
+ memcpy(pSMB->Data, buf, bytes_sent);
+ else if (ubuf) {
+ if (copy_from_user(pSMB->Data, ubuf, bytes_sent)) {
+ rc = -EFAULT;
+ goto out_release;
+ }
+ } else {
+ rc = -EINVAL;
+ goto out_release;
}

byte_count = bytes_sent + 1 /* pad */ ;
@@ -921,11 +925,14 @@
} else
*nbytes = le16_to_cpu(pSMBr->Count);

+ out_release:
if (pSMB)
cifs_buf_release(pSMB);

- /* Note: On -EAGAIN error only caller can retry on handle based calls
- since file handle passed in no longer valid */
+ /*
+ * Note: On -EAGAIN error only caller can retry on handle based calls
+ * since file handle passed in no longer valid
+ */

return rc;
}
Index: linux/fs/cifs/file.c
===================================================================
--- linux.orig/fs/cifs/file.c 2005-01-12 19:43:26.018610152 +0200
+++ linux/fs/cifs/file.c 2005-01-12 20:02:29.110833720 +0200
@@ -1165,8 +1165,12 @@
&bytes_read, &smb_read_data);

pSMBr = (struct smb_com_read_rsp *)smb_read_data;
- copy_to_user(current_offset,smb_read_data + 4/* RFC1001 hdr*/
+ rc = copy_to_user(current_offset, smb_read_data + 4 /* RFC1001 hdr */
+ le16_to_cpu(pSMBr->DataOffset), bytes_read);
+ if (rc) {
+ FreeXid(xid);
+ return -EFAULT;
+ }
if(smb_read_data) {
cifs_buf_release(smb_read_data);
smb_read_data = NULL;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pekka Enberg: "[PATCH 2/6] cifs: remove dead code"
Previous message: Neetu Lamba: "Re: Notice again (automatic reply (back on 17 January 2005))"
Next in thread: Pekka Enberg: "[PATCH 2/6] cifs: remove dead code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]