diff options
| author | Al Viro <viro@parcelfarce.linux.theplanet.co.uk> | 2005-08-27 06:48:15 +0100 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-08-27 10:11:40 -0700 |
| commit | 6a029a90f5b93e2b50bcbbaef05ef91fa0c1d6b3 (patch) | |
| tree | ba62bf7de680c10c00224305d628b484494918a1 /fs/compat_ioctl.c | |
| parent | 36676bcbf9f6bcbea9d06e67ee8d04eacde54952 (diff) | |
| download | op-kernel-dev-6a029a90f5b93e2b50bcbbaef05ef91fa0c1d6b3.zip op-kernel-dev-6a029a90f5b93e2b50bcbbaef05ef91fa0c1d6b3.tar.gz | |
[PATCH] mmaper_kern.c fixes [buffer overruns]
- copy_from_user() can fail; ->write() must check its return value.
- severe buffer overruns both in ->read() and ->write() - lseek to the
end (i.e. to mmapper_size) and
if (count + *ppos > mmapper_size)
count = count + *ppos - mmapper_size;
will do absolutely nothing. Then it will call
copy_to_user(buf,&v_buf[*ppos],count);
with obvious results (similar for ->write()).
Fixed by turning read to simple_read_from_buffer() and by doing
normal limiting of count in ->write().
- gratitious lock_kernel() in ->mmap() - it's useless there.
- lots of gratuitous includes.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'fs/compat_ioctl.c')
0 files changed, 0 insertions, 0 deletions
