patch-2.4.19 linux-2.4.19/fs/intermezzo/kml.c

• Lines: 167
• Date: Fri Aug 2 17:39:45 2002
• Orig file: linux-2.4.18/fs/intermezzo/kml.c
• Orig date: Sun Nov 11 10:20:21 2001

diff -urN linux-2.4.18/fs/intermezzo/kml.c linux-2.4.19/fs/intermezzo/kml.c
@@ -20,9 +20,9 @@
 {
         struct {
                 char *volname;
-                int   namelen;  
+                unsigned int namelen;  
                 char *recbuf;
-                int   reclen;     /* int   newpos; */
+                unsigned int reclen;     /* int   newpos; */
         } input;
         struct kml_fsdata *kml_fsdata = NULL;
         struct presto_file_set *fset = NULL;
@@ -31,12 +31,17 @@
 
         ENTRY;
         /* allocate buffer & copy it to kernel space */
-        error = copy_from_user(&input, (char *)arg, sizeof(input));
-        if ( error ) {
+        if (copy_from_user(&input, (char *)arg, sizeof(input))) {
                 EXIT;
-                return error;
+                return -EFAULT;
         }
 
+	if (input.namelen > PATH_MAX)
+	{
+		EXIT;
+		return -EINVAL;
+	}
+		
         if (input.reclen > kml_fsdata->kml_maxsize)
                 return -ENOMEM; /* we'll find solution to this in the future */
 
@@ -45,11 +50,10 @@
                 EXIT;
                 return -ENOMEM;
         }
-        error = copy_from_user(path, input.volname, input.namelen);
-        if ( error ) {
+        if (copy_from_user(path, input.volname, input.namelen)) {
                 PRESTO_FREE(path, input.namelen + 1);
                 EXIT;
-                return error;
+                return -EFAULT;
         }
         path[input.namelen] = '\0';
         fset = kml_getfset (path);
@@ -57,10 +61,9 @@
 
         kml_fsdata = FSET_GET_KMLDATA(fset);
         /* read the buf from user memory here */
-        error = copy_from_user(kml_fsdata->kml_buf, input.recbuf, input.reclen);
-        if ( error ) {
+        if (copy_from_user(kml_fsdata->kml_buf, input.recbuf, input.reclen)) {
                 EXIT;
-                return error;
+                return -EFAULT;
         }
         kml_fsdata->kml_len = input.reclen;
 
@@ -78,9 +81,9 @@
 {
         struct {
                 char *volname;
-                int   namelen;  
+                unsigned int namelen;  
                 char *path;
-                int pathlen;
+                unsigned int pathlen;
                 int recno;
                 int offset;
                 int len;
@@ -94,21 +97,26 @@
         struct presto_file_set *fset;
 
         ENTRY;
-        error = copy_from_user(&input, (char *)arg, sizeof(input));
-        if ( error ) {
+        if (copy_from_user(&input, (char *)arg, sizeof(input))) {
                 EXIT;
-                return error;
+                return -EFAULT;
         }
+        
+        if(input.namelen > PATH_MAX || input.pathlen > PATH_MAX)
+        {
+        	EXIT;
+        	return -EFAULT;
+        }
+        
         PRESTO_ALLOC(path, char *, input.namelen + 1);
         if ( !path ) {
                 EXIT;
                 return -ENOMEM;
         }
-        error = copy_from_user(path, input.volname, input.namelen);
-        if ( error ) {
+        if (copy_from_user(path, input.volname, input.namelen)) {
                 PRESTO_FREE(path, input.namelen + 1);
                 EXIT;
-                return error;
+                return -EFAULT;
         }
         path[input.namelen] = '\0';
         fset = kml_getfset (path);
@@ -138,7 +146,8 @@
                                 strlen (close->path) + 1, input.pathlen);
                         error = -ENOMEM;
                 }
-                copy_to_user((char *)arg, &input, sizeof (input));
+                if (copy_to_user((char *)arg, &input, sizeof (input)))
+			return -EFAULT;
         }
         return error;
 }
@@ -149,7 +158,7 @@
         /* Free KML buffer and related volume info */
         struct {
                 char *volname;
-                int   namelen;  
+                unsigned int namelen;  
 #if 0
                 int   count; 
                 int   newpos; 
@@ -161,22 +170,27 @@
         char *path;
 
         ENTRY;
-        error = copy_from_user(&input, (char *)arg, sizeof(input));
-        if ( error ) {
+        if (copy_from_user(&input, (char *)arg, sizeof(input))) { 
                EXIT;
-               return error;
+               return -EFAULT;
         }
 
+	if (input.namelen > PATH_MAX)
+	{
+		EXIT;
+		return -EFAULT;
+	}
+	
         PRESTO_ALLOC(path, char *, input.namelen + 1);
         if ( !path ) {
                 EXIT;
                 return -ENOMEM;
         }
-        error = copy_from_user(path, input.volname, input.namelen);
+        if (copy_from_user(path, input.volname, input.namelen)) {
         if ( error ) {
                 PRESTO_FREE(path, input.namelen + 1);
                 EXIT;
-                return error;
+                return -EFAULT;
         }
         path[input.namelen] = '\0';
         fset = kml_getfset (path);
@@ -193,7 +207,8 @@
 #if 0
         input.newpos = kml_upc->newpos;
         input.count = kml_upc->count;
-        copy_to_user((char *)arg, &input, sizeof (input));
+        if (copy_to_user((char *)arg, &input, sizeof (input)))
+		return -EFAULT;
 #endif
         return error;
 }