[09/37] net: Fix wrong interpretation of some copy_to_user()results.

From: Greg KH
Date: Tue Apr 29 2008 - 13:23:22 EST

Next message: Greg KH: "[10/37] IPSEC: Fix catch-22 with algorithm IDs above 31"
Previous message: Greg KH: "[08/37] rose: Socket lock was not released before returning touser space"
In reply to: Greg KH: "[08/37] rose: Socket lock was not released before returning touser space"
Next in thread: Greg KH: "[10/37] IPSEC: Fix catch-22 with algorithm IDs above 31"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.25-stable review patch. If anyone has any objections, please let us
know.

------------------
From: Pavel Emelyanov <xemul@xxxxxxxxxx>

[ Upstream commit: 653252c2302cdf2dfbca66a7e177f7db783f9efa ]

I found some places, that erroneously return the value obtained from
the copy_to_user() call: if some amount of bytes were not able to get
to the user (this is what this one returns) the proper behavior is to
return the -EFAULT error, not that number itself.

Signed-off-by: Pavel Emelyanov <xemul@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
net/can/raw.c | 3 ++-
net/dccp/probe.c | 2 +-
net/tipc/socket.c | 4 ++--
3 files changed, 5 insertions(+), 4 deletions(-)

--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket
int fsize = ro->count * sizeof(struct can_filter);
if (len > fsize)
len = fsize;
- err = copy_to_user(optval, ro->filter, len);
+ if (copy_to_user(optval, ro->filter, len))
+ err = -EFAULT;
} else
len = 0;
release_sock(sk);
--- a/net/dccp/probe.c
+++ b/net/dccp/probe.c
@@ -145,7 +145,7 @@ static ssize_t dccpprobe_read(struct fil
goto out_free;

cnt = kfifo_get(dccpw.fifo, tbuf, len);
- error = copy_to_user(buf, tbuf, cnt);
+ error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0;

out_free:
vfree(tbuf);
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1600,8 +1600,8 @@ static int getsockopt(struct socket *soc
else if (len < sizeof(value)) {
res = -EINVAL;
}
- else if ((res = copy_to_user(ov, &value, sizeof(value)))) {
- /* couldn't return value */
+ else if (copy_to_user(ov, &value, sizeof(value))) {
+ res = -EFAULT;
}
else {
res = put_user(sizeof(value), ol);

--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[10/37] IPSEC: Fix catch-22 with algorithm IDs above 31"
Previous message: Greg KH: "[08/37] rose: Socket lock was not released before returning touser space"
In reply to: Greg KH: "[08/37] rose: Socket lock was not released before returning touser space"
Next in thread: Greg KH: "[10/37] IPSEC: Fix catch-22 with algorithm IDs above 31"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]