Commit 54cbdcfd authored by Andrew Morton's avatar Andrew Morton Committed by Jaroslav Kysela

[PATCH] copy_user checks in filldir()

Check for usercopy faults in filldir().
parent 012af46c
...@@ -133,18 +133,26 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset, ...@@ -133,18 +133,26 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
if (reclen > buf->count) if (reclen > buf->count)
return -EINVAL; return -EINVAL;
dirent = buf->previous; dirent = buf->previous;
if (dirent) if (dirent) {
__put_user(offset, &dirent->d_off); if (__put_user(offset, &dirent->d_off))
goto efault;
}
dirent = buf->current_dir; dirent = buf->current_dir;
buf->previous = dirent; buf->previous = dirent;
__put_user(ino, &dirent->d_ino); if (__put_user(ino, &dirent->d_ino))
__put_user(reclen, &dirent->d_reclen); goto efault;
copy_to_user(dirent->d_name, name, namlen); if (__put_user(reclen, &dirent->d_reclen))
__put_user(0, dirent->d_name + namlen); goto efault;
if (copy_to_user(dirent->d_name, name, namlen))
goto efault;
if (__put_user(0, dirent->d_name + namlen))
goto efault;
((char *) dirent) += reclen; ((char *) dirent) += reclen;
buf->current_dir = dirent; buf->current_dir = dirent;
buf->count -= reclen; buf->count -= reclen;
return 0; return 0;
efault:
return -EFAULT;
} }
asmlinkage long sys_getdents(unsigned int fd, void * dirent, unsigned int count) asmlinkage long sys_getdents(unsigned int fd, void * dirent, unsigned int count)
...@@ -174,8 +182,10 @@ asmlinkage long sys_getdents(unsigned int fd, void * dirent, unsigned int count) ...@@ -174,8 +182,10 @@ asmlinkage long sys_getdents(unsigned int fd, void * dirent, unsigned int count)
error = buf.error; error = buf.error;
lastdirent = buf.previous; lastdirent = buf.previous;
if (lastdirent) { if (lastdirent) {
put_user(file->f_pos, &lastdirent->d_off); if (put_user(file->f_pos, &lastdirent->d_off))
error = count - buf.count; error = -EFAULT;
else
error = count - buf.count;
} }
out_putf: out_putf:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment