[PATCH] ISDN: check for userspace copy faults

From: Jeff Garzik
Date: Wed Oct 11 2006 - 16:26:59 EST



Most of the ISDN ->readstat() implementations needed to check
copy_to_user() and put_user() return values.

Signed-off-by: Jeff Garzik <jeff@xxxxxxxxxx>

---

drivers/isdn/capi/capidrv.c | 3 ++-
drivers/isdn/hisax/config.c | 6 ++++--
drivers/isdn/icn/icn.c | 3 ++-
drivers/isdn/isdnloop/isdnloop.c | 3 ++-
drivers/isdn/pcbit/drv.c | 16 ++++++++++------
5 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/drivers/isdn/capi/capidrv.c b/drivers/isdn/capi/capidrv.c
index d10c8b8..b6f9476 100644
--- a/drivers/isdn/capi/capidrv.c
+++ b/drivers/isdn/capi/capidrv.c
@@ -1907,7 +1907,8 @@ static int if_readstat(u8 __user *buf, i
}

for (p=buf, count=0; count < len; p++, count++) {
- put_user(*card->q931_read++, p);
+ if (put_user(*card->q931_read++, p))
+ return -EFAULT;
if (card->q931_read > card->q931_end)
card->q931_read = card->q931_buf;
}
diff --git a/drivers/isdn/hisax/config.c b/drivers/isdn/hisax/config.c
index e4823ab..785b085 100644
--- a/drivers/isdn/hisax/config.c
+++ b/drivers/isdn/hisax/config.c
@@ -631,7 +631,8 @@ static int HiSax_readstatus(u_char __use
count = cs->status_end - cs->status_read + 1;
if (count >= len)
count = len;
- copy_to_user(p, cs->status_read, count);
+ if (copy_to_user(p, cs->status_read, count))
+ return -EFAULT;
cs->status_read += count;
if (cs->status_read > cs->status_end)
cs->status_read = cs->status_buf;
@@ -642,7 +643,8 @@ static int HiSax_readstatus(u_char __use
cnt = HISAX_STATUS_BUFSIZE;
else
cnt = count;
- copy_to_user(p, cs->status_read, cnt);
+ if (copy_to_user(p, cs->status_read, cnt))
+ return -EFAULT;
p += cnt;
cs->status_read += cnt % HISAX_STATUS_BUFSIZE;
count -= cnt;
diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c
index 6649f8b..730bbd0 100644
--- a/drivers/isdn/icn/icn.c
+++ b/drivers/isdn/icn/icn.c
@@ -1010,7 +1010,8 @@ icn_readstatus(u_char __user *buf, int l
for (p = buf, count = 0; count < len; p++, count++) {
if (card->msg_buf_read == card->msg_buf_write)
return count;
- put_user(*card->msg_buf_read++, p);
+ if (put_user(*card->msg_buf_read++, p))
+ return -EFAULT;
if (card->msg_buf_read > card->msg_buf_end)
card->msg_buf_read = card->msg_buf;
}
diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
index fabbd46..9a66524 100644
--- a/drivers/isdn/isdnloop/isdnloop.c
+++ b/drivers/isdn/isdnloop/isdnloop.c
@@ -451,7 +451,8 @@ isdnloop_readstatus(u_char __user *buf,
for (p = buf, count = 0; count < len; p++, count++) {
if (card->msg_buf_read == card->msg_buf_write)
return count;
- put_user(*card->msg_buf_read++, p);
+ if (put_user(*card->msg_buf_read++, p))
+ return -EFAULT;
if (card->msg_buf_read > card->msg_buf_end)
card->msg_buf_read = card->msg_buf;
}
diff --git a/drivers/isdn/pcbit/drv.c b/drivers/isdn/pcbit/drv.c
index 94f2148..d2e5e10 100644
--- a/drivers/isdn/pcbit/drv.c
+++ b/drivers/isdn/pcbit/drv.c
@@ -725,23 +725,27 @@ static int pcbit_stat(u_char __user *buf

if (stat_st < stat_end)
{
- copy_to_user(buf, statbuf + stat_st, len);
+ if (copy_to_user(buf, statbuf + stat_st, len))
+ return -EFAULT;
stat_st += len;
}
else
{
if (len > STATBUF_LEN - stat_st)
{
- copy_to_user(buf, statbuf + stat_st,
- STATBUF_LEN - stat_st);
- copy_to_user(buf, statbuf,
- len - (STATBUF_LEN - stat_st));
+ if (copy_to_user(buf, statbuf + stat_st,
+ STATBUF_LEN - stat_st))
+ return -EFAULT;
+ if (copy_to_user(buf, statbuf,
+ len - (STATBUF_LEN - stat_st)))
+ return -EFAULT;

stat_st = len - (STATBUF_LEN - stat_st);
}
else
{
- copy_to_user(buf, statbuf + stat_st, len);
+ if (copy_to_user(buf, statbuf + stat_st, len))
+ return -EFAULT;

stat_st += len;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/