From: Dipankar Sarma <dipankar@in.ibm.com>

Use copy_to_user/get_char with user buffers.



 25-akpm/drivers/usb/image/mdc800.c |   22 +++++++++++++++-------
 1 files changed, 15 insertions(+), 7 deletions(-)

diff -puN drivers/usb/image/mdc800.c~ds-07-mdc800-usercopy-fix drivers/usb/image/mdc800.c
--- 25/drivers/usb/image/mdc800.c~ds-07-mdc800-usercopy-fix	Tue Jun 10 14:57:02 2003
+++ 25-akpm/drivers/usb/image/mdc800.c	Tue Jun 10 14:57:02 2003
@@ -748,8 +748,10 @@ static ssize_t mdc800_device_read (struc
 		}
 		else
 		{
-			/* memcpy Bytes */
-			memcpy (ptr, &mdc800->out [mdc800->out_ptr], sts);
+			/* Copy Bytes */
+			if (copy_to_user(ptr, 
+				&mdc800->out [mdc800->out_ptr], sts))
+				return -EFAULT;
 			ptr+=sts;
 			left-=sts;
 			mdc800->out_ptr+=sts;
@@ -786,14 +788,21 @@ static ssize_t mdc800_device_write (stru
 
 	while (i<len)
 	{
+		unsigned char c;
 		if (signal_pending (current)) 
 		{
 			up (&mdc800->io_lock);
 			return -EINTR;
 		}
+		
+		if(get_user(c, buf+i))
+		{
+			up(&mdc800->io_lock);
+			return -EFAULT;
+		}
 
 		/* check for command start */
-		if (buf [i] == (char) 0x55)
+		if (c == 0x55)
 		{
 			mdc800->in_count=0;
 			mdc800->out_count=0;
@@ -804,12 +813,11 @@ static ssize_t mdc800_device_write (stru
 		/* save command byte */
 		if (mdc800->in_count < 8)
 		{
-			mdc800->in[mdc800->in_count]=buf[i];
+			mdc800->in[mdc800->in_count] = c;
 			mdc800->in_count++;
 		}
 		else
 		{
-			err ("Command is too long !\n");
 			up (&mdc800->io_lock);
 			return -EIO;
 		}
@@ -884,8 +892,8 @@ static ssize_t mdc800_device_write (stru
 							return -EIO;
 						}
 
-						/* Write dummy data, (this is ugly but part of the USB Protokoll */
-						/* if you use endpoint 1 as bulk and not as irq */
+						/* Write dummy data, (this is ugly but part of the USB Protocol */
+						/* if you use endpoint 1 as bulk and not as irq) */
 						memcpy (mdc800->out, mdc800->camera_response,8);
 
 						/* This is the interpreted answer */

_