From: Steven Rostedt <rostedt@goodmis.org>

The n_tty driver is missing some put_user checks.

(forwarded by akpm@digeo.com)


 drivers/char/n_tty.c |   19 +++++++++++++++----
 1 files changed, 15 insertions(+), 4 deletions(-)

diff -puN drivers/char/n_tty.c~tty-put_user-checks drivers/char/n_tty.c
--- 25/drivers/char/n_tty.c~tty-put_user-checks	2003-03-20 03:11:44.000000000 -0800
+++ 25-akpm/drivers/char/n_tty.c	2003-03-20 03:11:44.000000000 -0800
@@ -1029,7 +1029,10 @@ do_it_again:
 				break;
 			cs = tty->link->ctrl_status;
 			tty->link->ctrl_status = 0;
-			put_user(cs, b++);
+			if (put_user(cs, b++)) {
+				retval = -EFAULT;
+				break;
+			}
 			nr--;
 			break;
 		}
@@ -1068,7 +1071,10 @@ do_it_again:
 
 		/* Deal with packet mode. */
 		if (tty->packet && b == buf) {
-			put_user(TIOCPKT_DATA, b++);
+			if (put_user(TIOCPKT_DATA, b++)) {
+				retval = -EFAULT;
+				break;
+			}
 			nr--;
 		}
 
@@ -1095,12 +1101,17 @@ do_it_again:
 				spin_unlock_irqrestore(&tty->read_lock, flags);
 
 				if (!eol || (c != __DISABLED_CHAR)) {
-					put_user(c, b++);
+					if (put_user(c, b++)) {
+						retval = -EFAULT;
+						break;
+					}
 					nr--;
 				}
 				if (eol)
 					break;
 			}
+			if (retval)
+				break;
 		} else {
 			int uncopied;
 			uncopied = copy_from_read_buf(tty, &b, &nr);
@@ -1135,7 +1146,7 @@ do_it_again:
 
 	current->state = TASK_RUNNING;
 	size = b - buf;
-	if (size) {
+	if (!retval && size) {
 		retval = size;
 		if (nr)
 	       		clear_bit(TTY_PUSH, &tty->flags);

_