diff options
author | Samuel Ortiz <sameo@linux.intel.com> | 2012-10-29 14:02:17 +0100 |
---|---|---|
committer | Samuel Ortiz <sameo@linux.intel.com> | 2012-11-19 23:57:00 +0100 |
commit | 6e950fd214645e71e94bce2429bea58b88e1b5d0 (patch) | |
tree | 81169b2a40c2e6a5a64f728c77aad68bfd75ac04 | |
parent | 08eaa1e0ce5bad11bedd311a9ddc3baf778ee1df (diff) |
NFC: Copy user space buffer when sending UI frames
Using the userspace IO vector directly is wrong, we should copy it from
user space first.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-rw-r--r-- | net/nfc/llcp/commands.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c index ed2d17312d6..f0a39456f26 100644 --- a/net/nfc/llcp/commands.c +++ b/net/nfc/llcp/commands.c @@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, struct sk_buff *pdu; struct nfc_llcp_local *local; size_t frag_len = 0, remaining_len; - u8 *msg_ptr; + u8 *msg_ptr, *msg_data; int err; pr_debug("Send UI frame len %zd\n", len); @@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, if (local == NULL) return -ENODEV; + msg_data = kzalloc(len, GFP_KERNEL); + if (msg_data == NULL) + return -ENOMEM; + + if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) { + kfree(msg_data); + return -EFAULT; + } + remaining_len = len; - msg_ptr = (u8 *) msg->msg_iov; + msg_ptr = msg_data; while (remaining_len > 0) { @@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, msg_ptr += frag_len; } + kfree(msg_data); + return len; } |