• Al Viro's avatar
    [PATCH] mmaper_kern.c fixes [buffer overruns] · 6a029a90
    Al Viro authored
     - copy_from_user() can fail; ->write() must check its return value.
    
     - severe buffer overruns both in ->read() and ->write() - lseek to the
       end (i.e.  to mmapper_size) and
    
    	if (count + *ppos > mmapper_size)
    		count = count + *ppos - mmapper_size;
    
       will do absolutely nothing.  Then it will call
    
    	copy_to_user(buf,&v_buf[*ppos],count);
    
       with obvious results (similar for ->write()).
    
       Fixed by turning read to simple_read_from_buffer() and by doing
       normal limiting of count in ->write().
    
     - gratitious lock_kernel() in ->mmap() - it's useless there.
    
     - lots of gratuitous includes.
    Signed-off-by: default avatarAl Viro <viro@parcelfarce.linux.theplanet.co.uk>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    6a029a90
mmapper_kern.c 2.86 KB