Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5ffa6d7f authored by Al Viro's avatar Al Viro Committed by Jeff Garzik
Browse files

wan/farsync: copy_from_user() to iomem is wrong 



kmalloc intermediate buffer(), do copy_from_user() + memcpy_toio()

Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
parent ed773b4a

drivers/net/wan/farsync.c

+12 −5
Original line number Original line Diff line number Diff line
@@ -2024,6 +2024,7 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) 
	struct fstioc_write wrthdr;

	struct fstioc_write wrthdr;

	struct fstioc_info info;

	struct fstioc_info info;

	unsigned long flags;

	unsigned long flags;

	void *buf;





	dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);

	dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);
@@ -2065,16 +2066,22 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) 
			return -ENXIO;

			return -ENXIO;

		}

		}





		/* Now copy the data to the card.

		/* Now copy the data to the card. */

		 * This will probably break on some architectures.



		 * I'll fix it when I have something to test on.

		buf = kmalloc(wrthdr.size, GFP_KERNEL);

		 */

		if (!buf)

		if (copy_from_user(card->mem + wrthdr.offset,

			return -ENOMEM;



		if (copy_from_user(buf,

				   ifr->ifr_data + sizeof (struct fstioc_write),

				   ifr->ifr_data + sizeof (struct fstioc_write),

				   wrthdr.size)) {

				   wrthdr.size)) {

			kfree(buf);

			return -EFAULT;

			return -EFAULT;

		}

		}





		memcpy_toio(card->mem + wrthdr.offset, buf, wrthdr.size);

		kfree(buf);



		/* Writes to the memory of a card in the reset state constitute

		/* Writes to the memory of a card in the reset state constitute

		 * a download

		 * a download

		 */

		 */