From patchwork Mon Dec 12 11:31:53 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Lindner X-Patchwork-Id: 1490 Return-Path: Received: from nm25-vm3.bullet.mail.ukl.yahoo.com (nm25-vm3.bullet.mail.ukl.yahoo.com [217.146.177.79]) by open-mesh.org (Postfix) with SMTP id 22A1D6007D6 for ; Mon, 12 Dec 2011 12:33:04 +0100 (CET) Authentication-Results: open-mesh.org; dkim=pass (1024-bit key) header.i=@yahoo.de; dkim-adsp=none Received: from [217.146.183.213] by nm25.bullet.mail.ukl.yahoo.com with NNFMP; 12 Dec 2011 11:33:03 -0000 Received: from [77.238.184.52] by tm6.bullet.mail.ukl.yahoo.com with NNFMP; 12 Dec 2011 11:33:03 -0000 Received: from [127.0.0.1] by smtp121.mail.ukl.yahoo.com with NNFMP; 12 Dec 2011 11:33:03 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.de; s=s1024; t=1323689583; bh=YA6XjnA0XVZKdAQeyy9E8gF1oneGWtjsr+sv6EZktbc=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References; b=JLNHabOXkbuxc9j9VHnbeOW9mh2XaLj6I5dHYCO1YzZZ9nXsgsTTXUEU9IE/O4shcHhSsFEU6MxWY5E+4jRdSmqVjd6CYAXoCW9nNINh7Qy3++IRkUWtFzZ8lpj3j8MDnp1OHJGzn7Ec2Tq9KzFc6bPcyW3F2W2B3roTIWDGFII= X-Yahoo-Newman-Id: 663495.86667.bm@smtp121.mail.ukl.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: TonVJAsVM1k2TByjeIXwEnImLFsgMudEZ2qn5SWHqRYwdgv kCXdRbMs.EqHtdlvkibZ8t80S2ZKgCTtbm6US3NrDFYCYRkvHDdm81_6o_nw YlUfQy4.wItdp_iluW3p.GI8sj7Roa_GqJT0VV4reIoa.VpA.HXJ0xN1hLu3 lXv7neGBZkg.Iy_cAKtjfWIou_0rDKvFXT_etBdunp7Hpn8iXyXMmPRsXCZz pzoveaGzi6kEelQB6ohS30DdR3G5hhNvyMR9rdX_g.8LcH0RZmVy2EMS4Pe7 wwYFJVP2HgzV3wVynlyOTjFTAKzE6QHyjilP7dxByKHWAT9XE.0x5PChij.0 Tdd_8e4np6QSql7wI4eXNAFDTB8EIZZWJs51C6d2k2EhUFPUZ X-Yahoo-SMTP: tW.h3tiswBBMXO2coYcbPigGD5Lt6zY_.Zc- Received: from localhost (lindner_marek@210.177.7.38 with plain) by smtp121.mail.ukl.yahoo.com with SMTP; 12 Dec 2011 11:33:02 +0000 GMT From: Marek Lindner To: davem@davemloft.net Date: Mon, 12 Dec 2011 19:31:53 +0800 Message-Id: <1323689516-24427-10-git-send-email-lindner_marek@yahoo.de> X-Mailer: git-send-email 1.7.5.4 In-Reply-To: <1323689516-24427-1-git-send-email-lindner_marek@yahoo.de> References: <1323689516-24427-1-git-send-email-lindner_marek@yahoo.de> Cc: netdev@vger.kernel.org, b.a.t.m.a.n@lists.open-mesh.org, Marek Lindner , Paul Kot Subject: [B.A.T.M.A.N.] [PATCH 09/11] batman-adv: bat_socket_read missing checks X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 11:33:04 -0000 From: Paul Kot Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE. Signed-off-by: Paul Kot [sven@narfation.org: made it checkpatch clean] Signed-off-by: Sven Eckelmann Signed-off-by: Marek Lindner --- net/batman-adv/icmp_socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c index defd692..88ab26f 100644 --- a/net/batman-adv/icmp_socket.c +++ b/net/batman-adv/icmp_socket.c @@ -136,8 +136,8 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf, spin_unlock_bh(&socket_client->lock); - error = __copy_to_user(buf, &socket_packet->icmp_packet, - socket_packet->icmp_len); + error = copy_to_user(buf, &socket_packet->icmp_packet, + socket_packet->icmp_len); packet_len = socket_packet->icmp_len; kfree(socket_packet);