summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSamuel Ortiz <sameo@linux.intel.com>2012-10-29 14:02:17 +0100
committerSamuel Ortiz <sameo@linux.intel.com>2012-11-19 23:57:00 +0100
commit6e950fd214645e71e94bce2429bea58b88e1b5d0 (patch)
tree81169b2a40c2e6a5a64f728c77aad68bfd75ac04
parent08eaa1e0ce5bad11bedd311a9ddc3baf778ee1df (diff)
NFC: Copy user space buffer when sending UI frames
Using the userspace IO vector directly is wrong, we should copy it from user space first. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-rw-r--r--net/nfc/llcp/commands.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c
index ed2d17312d6..f0a39456f26 100644
--- a/net/nfc/llcp/commands.c
+++ b/net/nfc/llcp/commands.c
@@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
struct sk_buff *pdu;
struct nfc_llcp_local *local;
size_t frag_len = 0, remaining_len;
- u8 *msg_ptr;
+ u8 *msg_ptr, *msg_data;
int err;
pr_debug("Send UI frame len %zd\n", len);
@@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
if (local == NULL)
return -ENODEV;
+ msg_data = kzalloc(len, GFP_KERNEL);
+ if (msg_data == NULL)
+ return -ENOMEM;
+
+ if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) {
+ kfree(msg_data);
+ return -EFAULT;
+ }
+
remaining_len = len;
- msg_ptr = (u8 *) msg->msg_iov;
+ msg_ptr = msg_data;
while (remaining_len > 0) {
@@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
msg_ptr += frag_len;
}
+ kfree(msg_data);
+
return len;
}