From: ppisa Date: Thu, 3 Feb 2005 16:40:08 +0000 (+0000) Subject: Added checking of values returned by copy_to/from_user X-Git-Tag: CLT_COMM_CAN-lincan-0_3_1~25 X-Git-Url: http://rtime.felk.cvut.cz/gitweb/lincan.git/commitdiff_plain/46e2f34c15f734054295e3a2a2d68828247bcd86 Added checking of values returned by copy_to/from_user to fulfill 2.6.x kernel rules. --- diff --git a/lincan/src/ioctl.c b/lincan/src/ioctl.c index f6f8ff4..38d75a4 100644 --- a/lincan/src/ioctl.c +++ b/lincan/src/ioctl.c @@ -78,7 +78,9 @@ int can_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned case CANQUE_FILTER: { struct canfilt_t canfilt; - copy_from_user(&canfilt, (void*)arg, sizeof(struct canfilt_t)); + int ret; + ret = copy_from_user(&canfilt, (void*)arg, sizeof(struct canfilt_t)); + if(ret) return -EFAULT; if(canuser->rx_edge0){ canque_set_filt(canuser->rx_edge0, canfilt.id, canfilt.mask, canfilt.flags); } @@ -89,10 +91,12 @@ int can_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned int ret; struct canmsg_t rtr_msg; - copy_from_user(&rtr_msg, (void*)arg, sizeof(struct canmsg_t)); + ret = copy_from_user(&rtr_msg, (void*)arg, sizeof(struct canmsg_t)); + if(ret) return -EFAULT; ret = can_ioctl_remote_read(canuser, &rtr_msg, rtr_msg.id, 0); if(ret<0) return ret; - copy_to_user((void*)arg, &rtr_msg, sizeof(struct canmsg_t)); + ret = copy_to_user((void*)arg, &rtr_msg, sizeof(struct canmsg_t)); + if(ret) return -EFAULT; break; } @@ -110,7 +114,11 @@ int can_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned case CONF_BAUDPARAMS: { struct can_baudparams_t params; - copy_from_user(¶ms, (void*)arg, sizeof(struct can_baudparams_t)); + int ret; + + ret = copy_from_user(¶ms, (void*)arg, sizeof(struct can_baudparams_t)); + if(ret) return -EFAULT; + if(params.flags == -1) params.flags = 0; if(params.baudrate == -1) params.baudrate = chip->baudrate; if(params.sjw == -1) params.sjw = 0; diff --git a/lincan/src/read.c b/lincan/src/read.c index c16c76b..a6f5305 100644 --- a/lincan/src/read.c +++ b/lincan/src/read.c @@ -54,19 +54,21 @@ ssize_t can_read(struct file *file, char *buffer, size_t length, loff_t *offset) } } - copy_to_user(buffer, &slot->msg, sizeof(struct canmsg_t)); + ret = copy_to_user(buffer, &slot->msg, sizeof(struct canmsg_t)); canque_free_outslot(qends, qedge, slot); buffer += sizeof(struct canmsg_t); bytes_to_copy = length-sizeof(struct canmsg_t); + if(ret) return -EFAULT; while (bytes_to_copy > 0) { ret=canque_test_outslot(qends, &qedge, &slot); if(ret<0) break; - copy_to_user(buffer, &slot->msg, sizeof(struct canmsg_t)); + ret = copy_to_user(buffer, &slot->msg, sizeof(struct canmsg_t)); canque_free_outslot(qends, qedge, slot); buffer += sizeof(struct canmsg_t); bytes_to_copy -= sizeof(struct canmsg_t); + if(ret) return -EFAULT; } return length-bytes_to_copy; diff --git a/lincan/src/write.c b/lincan/src/write.c index dccade1..4b65a14 100644 --- a/lincan/src/write.c +++ b/lincan/src/write.c @@ -20,7 +20,7 @@ ssize_t can_write(struct file *file, const char *buffer, size_t length, loff_t * struct canque_ends_t *qends; struct canque_edge_t *qedge; struct canque_slot_t *slot; - int ret = 0; + int ret; unsigned bytes_to_copy; if(!canuser || (canuser->magic != CAN_USER_MAGIC)){ @@ -53,7 +53,8 @@ ssize_t can_write(struct file *file, const char *buffer, size_t length, loff_t * /* Prepare first message */ - copy_from_user(&msg_buff, buffer, sizeof(struct canmsg_t)); + ret = copy_from_user(&msg_buff, buffer, sizeof(struct canmsg_t)); + if(ret) return -EFAULT; /* Automatic selection of extended format if ID>2047 */ if (msg_buff.id & ~0x7ffl & MSG_ID_MASK ) msg_buff.flags |= MSG_EXT; @@ -91,7 +92,8 @@ ssize_t can_write(struct file *file, const char *buffer, size_t length, loff_t * while (bytes_to_copy >= sizeof(struct canmsg_t)) { bytes_to_copy -= sizeof(struct canmsg_t); /* Prepare first message */ - copy_from_user(&msg_buff, buffer, sizeof(struct canmsg_t)); + ret = copy_from_user(&msg_buff, buffer, sizeof(struct canmsg_t)); + if(ret) return -EFAULT; /* Automatic selection of extended format if ID>2047 */ if (msg_buff.id & ~0x7ffl & MSG_ID_MASK ) msg_buff.flags |= MSG_EXT;