[2861] in linux-net channel archive
patches (verify_area related) RESENT
daemon@ATHENA.MIT.EDU (Heiko Eissfeldt)
Sat May 11 09:35:12 1996
From: Heiko Eissfeldt <heiko@colossus.escape.de>
To: net-patches@lxorguk.ukuu.org.uk
Date: Tue, 7 May 1996 19:21:56 +0200 (MEST)
Cc: linux-net@vger.rutgers.edu
These patches are against 1.3.98 (from source browsing).
Alan, you don't check Email at
iialan@www.linux.org.uk (linux.org.uk/big patches), don't you :-)?
Hope this get into the kernel before 2.0
Heiko
--- net/socket.c Sat Apr 13 14:19:02 1996
+++ net/socket.c2 Sat Apr 27 21:30:27 1996
@@ -403,7 +403,9 @@
{
struct socket *sock;
sock = socki_lookup(inode);
- return(sock->ops->ioctl(sock, cmd, arg));
+ if (sock && sock->ops && sock->ops->ioctl)
+ return(sock->ops->ioctl(sock, cmd, arg));
+ return -EINVAL;
}
--- net/appletalk/ddp.c Sat Apr 13 14:18:56 1996
+++ net/appletalk/ddp.c2 Sat Apr 27 21:34:14 1996
@@ -854,6 +854,8 @@
((struct sockaddr_at *)(&atreq.ifr_addr))->sat_addr.s_net=atif->address.s_net;
((struct sockaddr_at *)(&atreq.ifr_addr))->sat_addr.s_node=ATADDR_BCAST;
break;
+ default:
+ return -EINVAL;
}
memcpy_tofs(arg,&atreq,sizeof(atreq));
return 0;
--- net/unix/af_unix.c Sat Apr 13 14:19:02 1996
+++ net/unix/af_unix.c2 Sat Apr 27 21:36:13 1996
@@ -1222,6 +1222,8 @@
if((skb=skb_peek(&sk->receive_queue))!=NULL)
amount=skb->len;
err=verify_area(VERIFY_WRITE,(void *)arg,sizeof(unsigned long));
+ if(err)
+ return err;
put_fs_long(amount,(unsigned long *)arg);
return 0;
}
--- drivers/net/plip.c Thu Apr 11 11:55:41 1996
+++ drivers/net/plip.c2 Fri Apr 19 12:52:04 1996
@@ -1039,7 +1039,12 @@
{
struct net_local *nl = (struct net_local *) dev->priv;
struct plipconf *pc = (struct plipconf *) &rq->ifr_data;
-
+ int err;
+
+ err = verify_area(VERIFY_WRITE, pc, sizeof(*pc));
+ if (err)
+ return err;
+
switch(pc->pcmd) {
case PLIP_GET_TIMEOUT:
pc->trigger = nl->trigger;
--- drivers/net/dlci.c Thu Apr 18 12:11:54 1996
+++ drivers/net/dlci.c2 Fri Apr 19 13:39:48 1996
@@ -286,10 +286,6 @@
int err, i;
char buf[10];
- err = verify_area(VERIFY_READ, new, sizeof(*new));
- if (err)
- return(err);
-
err = verify_area(VERIFY_WRITE, new, sizeof(*new));
if (err)
return(err);
@@ -453,6 +449,7 @@
int dlci_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
{
struct dlci_local *dlp;
+ int err;
if (!suser())
return(-EPERM);
@@ -465,7 +462,14 @@
if (!*(short *)(dev->dev_addr))
return(-EINVAL);
- strcpy(ifr->ifr_slave, dlp->slave->name);
+ {
+ int namlen = strlen(dlp->slave->name) + 1;
+ err = verify_area(VERIFY_WRITE, ifr->ifr_slave, namlen);
+ if (err)
+ return err;
+
+ memcpy_tofs(ifr->ifr_slave, dlp->slave->name, namlen);
+ }
break;
case DLCI_DEVADD:
