Commit 7786ce19 authored by Jeff Garzik's avatar Jeff Garzik Committed by Linus Torvalds

[PATCH] ISDN: check for userspace copy faults

Most of the ISDN ->readstat() implementations needed to check
copy_to_user() and put_user() return values.
Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 04518bfe
...@@ -1907,7 +1907,8 @@ static int if_readstat(u8 __user *buf, int len, int id, int channel) ...@@ -1907,7 +1907,8 @@ static int if_readstat(u8 __user *buf, int len, int id, int channel)
} }
for (p=buf, count=0; count < len; p++, count++) { for (p=buf, count=0; count < len; p++, count++) {
put_user(*card->q931_read++, p); if (put_user(*card->q931_read++, p))
return -EFAULT;
if (card->q931_read > card->q931_end) if (card->q931_read > card->q931_end)
card->q931_read = card->q931_buf; card->q931_read = card->q931_buf;
} }
......
...@@ -631,7 +631,8 @@ static int HiSax_readstatus(u_char __user *buf, int len, int id, int channel) ...@@ -631,7 +631,8 @@ static int HiSax_readstatus(u_char __user *buf, int len, int id, int channel)
count = cs->status_end - cs->status_read + 1; count = cs->status_end - cs->status_read + 1;
if (count >= len) if (count >= len)
count = len; count = len;
copy_to_user(p, cs->status_read, count); if (copy_to_user(p, cs->status_read, count))
return -EFAULT;
cs->status_read += count; cs->status_read += count;
if (cs->status_read > cs->status_end) if (cs->status_read > cs->status_end)
cs->status_read = cs->status_buf; cs->status_read = cs->status_buf;
...@@ -642,7 +643,8 @@ static int HiSax_readstatus(u_char __user *buf, int len, int id, int channel) ...@@ -642,7 +643,8 @@ static int HiSax_readstatus(u_char __user *buf, int len, int id, int channel)
cnt = HISAX_STATUS_BUFSIZE; cnt = HISAX_STATUS_BUFSIZE;
else else
cnt = count; cnt = count;
copy_to_user(p, cs->status_read, cnt); if (copy_to_user(p, cs->status_read, cnt))
return -EFAULT;
p += cnt; p += cnt;
cs->status_read += cnt % HISAX_STATUS_BUFSIZE; cs->status_read += cnt % HISAX_STATUS_BUFSIZE;
count -= cnt; count -= cnt;
......
...@@ -1010,7 +1010,8 @@ icn_readstatus(u_char __user *buf, int len, icn_card * card) ...@@ -1010,7 +1010,8 @@ icn_readstatus(u_char __user *buf, int len, icn_card * card)
for (p = buf, count = 0; count < len; p++, count++) { for (p = buf, count = 0; count < len; p++, count++) {
if (card->msg_buf_read == card->msg_buf_write) if (card->msg_buf_read == card->msg_buf_write)
return count; return count;
put_user(*card->msg_buf_read++, p); if (put_user(*card->msg_buf_read++, p))
return -EFAULT;
if (card->msg_buf_read > card->msg_buf_end) if (card->msg_buf_read > card->msg_buf_end)
card->msg_buf_read = card->msg_buf; card->msg_buf_read = card->msg_buf;
} }
......
...@@ -446,7 +446,8 @@ isdnloop_readstatus(u_char __user *buf, int len, isdnloop_card * card) ...@@ -446,7 +446,8 @@ isdnloop_readstatus(u_char __user *buf, int len, isdnloop_card * card)
for (p = buf, count = 0; count < len; p++, count++) { for (p = buf, count = 0; count < len; p++, count++) {
if (card->msg_buf_read == card->msg_buf_write) if (card->msg_buf_read == card->msg_buf_write)
return count; return count;
put_user(*card->msg_buf_read++, p); if (put_user(*card->msg_buf_read++, p))
return -EFAULT;
if (card->msg_buf_read > card->msg_buf_end) if (card->msg_buf_read > card->msg_buf_end)
card->msg_buf_read = card->msg_buf; card->msg_buf_read = card->msg_buf;
} }
......
...@@ -725,23 +725,27 @@ static int pcbit_stat(u_char __user *buf, int len, int driver, int channel) ...@@ -725,23 +725,27 @@ static int pcbit_stat(u_char __user *buf, int len, int driver, int channel)
if (stat_st < stat_end) if (stat_st < stat_end)
{ {
copy_to_user(buf, statbuf + stat_st, len); if (copy_to_user(buf, statbuf + stat_st, len))
return -EFAULT;
stat_st += len; stat_st += len;
} }
else else
{ {
if (len > STATBUF_LEN - stat_st) if (len > STATBUF_LEN - stat_st)
{ {
copy_to_user(buf, statbuf + stat_st, if (copy_to_user(buf, statbuf + stat_st,
STATBUF_LEN - stat_st); STATBUF_LEN - stat_st))
copy_to_user(buf, statbuf, return -EFAULT;
len - (STATBUF_LEN - stat_st)); if (copy_to_user(buf, statbuf,
len - (STATBUF_LEN - stat_st)))
return -EFAULT;
stat_st = len - (STATBUF_LEN - stat_st); stat_st = len - (STATBUF_LEN - stat_st);
} }
else else
{ {
copy_to_user(buf, statbuf + stat_st, len); if (copy_to_user(buf, statbuf + stat_st, len))
return -EFAULT;
stat_st += len; stat_st += len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment