Commit eb0296b9 authored by Alexander Viro's avatar Alexander Viro Committed by Linus Torvalds

[PATCH] rndis fix

blind dereferencing of userland pointers in procfs ->write() in rndis.c
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent d74c62f4
...@@ -1323,11 +1323,15 @@ int rndis_proc_read (char *page, char **start, off_t off, int count, int *eof, ...@@ -1323,11 +1323,15 @@ int rndis_proc_read (char *page, char **start, off_t off, int count, int *eof,
int rndis_proc_write (struct file *file, const char __user *buffer, int rndis_proc_write (struct file *file, const char __user *buffer,
unsigned long count, void *data) unsigned long count, void *data)
{ {
rndis_params *p = data;
u32 speed = 0; u32 speed = 0;
int i, fl_speed = 0; int i, fl_speed = 0;
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
switch (*buffer) { char c;
if (get_user(c, buffer))
return -EFAULT;
switch (c) {
case '0': case '0':
case '1': case '1':
case '2': case '2':
...@@ -1339,21 +1343,19 @@ int rndis_proc_write (struct file *file, const char __user *buffer, ...@@ -1339,21 +1343,19 @@ int rndis_proc_write (struct file *file, const char __user *buffer,
case '8': case '8':
case '9': case '9':
fl_speed = 1; fl_speed = 1;
speed = speed*10 + *buffer - '0'; speed = speed*10 + c - '0';
break; break;
case 'C': case 'C':
case 'c': case 'c':
rndis_signal_connect (((rndis_params *) data) rndis_signal_connect (p->confignr);
->confignr);
break; break;
case 'D': case 'D':
case 'd': case 'd':
rndis_signal_disconnect (((rndis_params *) data) rndis_signal_disconnect(p->confignr);
->confignr);
break; break;
default: default:
if (fl_speed) ((rndis_params *) data)->speed = speed; if (fl_speed) p->speed = speed;
else DEBUG ("%c is not valid\n", *buffer); else DEBUG ("%c is not valid\n", c);
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment