From: Dipankar Sarma Fix handling of user bufs (arg), use copy_from_user. drivers/usb/media/vicam.c | 28 +++++++++++++++++++--------- 1 files changed, 19 insertions(+), 9 deletions(-) diff -puN drivers/usb/media/vicam.c~ds-09-vicam-usercopy-fix drivers/usb/media/vicam.c --- 25/drivers/usb/media/vicam.c~ds-09-vicam-usercopy-fix 2003-06-26 17:35:22.000000000 -0700 +++ 25-akpm/drivers/usb/media/vicam.c 2003-06-26 17:35:22.000000000 -0700 @@ -611,15 +611,20 @@ vicam_ioctl(struct inode *inode, struct case VIDIOCSPICT: { - struct video_picture *vp = (struct video_picture *) arg; + struct video_picture vp; - DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp->depth, - vp->palette); + if (copy_from_user(&vp, arg, sizeof (vp))) { + retval = -EFAULT; + break; + } - cam->gain = vp->brightness >> 8; + DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp.depth, + vp.palette); - if (vp->depth != 24 - || vp->palette != VIDEO_PALETTE_RGB24) + cam->gain = vp.brightness >> 8; + + if (vp.depth != 24 + || vp.palette != VIDEO_PALETTE_RGB24) retval = -EINVAL; break; @@ -652,10 +657,15 @@ vicam_ioctl(struct inode *inode, struct case VIDIOCSWIN: { - struct video_window *vw = (struct video_window *) arg; - DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height); + struct video_window vw; + + if (copy_from_user(&vw, arg, sizeof (vw))) { + retval = -EFAULT; + break; + } + DBG("VIDIOCSWIN %d x %d\n", vw.width, vw.height); - if ( vw->width != 320 || vw->height != 240 ) + if ( vw.width != 320 || vw.height != 240 ) retval = -EFAULT; break; _