diff options
author | Jan Harkes <jaharkes@cs.cmu.edu> | 2005-01-10 17:26:36 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-01-10 17:26:36 -0800 |
commit | e926095b7dd6e715d931486f16a85250807dae64 (patch) | |
tree | 59382f1a4155ad1f1025a480cb82edec417b8001 /fs | |
parent | 019ae484a3615f2736a4b2054716f2679da54c06 (diff) | |
download | history-e926095b7dd6e715d931486f16a85250807dae64.tar.gz |
[PATCH] coda: bounds checking
This patch adds bounds checks for tainted scalars (reported by Brian Fulton
and Ted Unangst, Coverity Inc.).
Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/coda/upcall.c | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/fs/coda/upcall.c b/fs/coda/upcall.c index 569e144c661ac7..5ac4985bfe0581 100644 --- a/fs/coda/upcall.c +++ b/fs/coda/upcall.c @@ -555,6 +555,11 @@ int venus_pioctl(struct super_block *sb, struct CodaFid *fid, goto exit; } + if (data->vi.out_size > VC_MAXDATASIZE) { + error = -EINVAL; + goto exit; + } + inp->coda_ioctl.VFid = *fid; /* the cmd field was mutated by increasing its size field to @@ -583,19 +588,26 @@ int venus_pioctl(struct super_block *sb, struct CodaFid *fid, error, coda_f2s(fid)); goto exit; } + + if (outsize < (long)outp->coda_ioctl.data + outp->coda_ioctl.len) { + error = -EINVAL; + goto exit; + } /* Copy out the OUT buffer. */ if (outp->coda_ioctl.len > data->vi.out_size) { error = -EINVAL; - } else { - if (copy_to_user(data->vi.out, - (char *)outp + (long)outp->coda_ioctl.data, - data->vi.out_size)) { - error = -EFAULT; - goto exit; - } + goto exit; } + /* Copy out the OUT buffer. */ + if (copy_to_user(data->vi.out, + (char *)outp + (long)outp->coda_ioctl.data, + outp->coda_ioctl.len)) { + error = -EFAULT; + goto exit; + } + exit: CODA_FREE(inp, insize); return error; |