Skip to content
Commit 6a029a90 authored by Al Viro's avatar Al Viro Committed by Linus Torvalds
Browse files

[PATCH] mmaper_kern.c fixes [buffer overruns]



 - copy_from_user() can fail; ->write() must check its return value.

 - severe buffer overruns both in ->read() and ->write() - lseek to the
   end (i.e.  to mmapper_size) and

	if (count + *ppos > mmapper_size)
		count = count + *ppos - mmapper_size;

   will do absolutely nothing.  Then it will call

	copy_to_user(buf,&v_buf[*ppos],count);

   with obvious results (similar for ->write()).

   Fixed by turning read to simple_read_from_buffer() and by doing
   normal limiting of count in ->write().

 - gratitious lock_kernel() in ->mmap() - it's useless there.

 - lots of gratuitous includes.

Signed-off-by: default avatarAl Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 36676bcb
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment