From b9b64e6e89fc5a6ef220747115c5b7764614ca3f Mon Sep 17 00:00:00 2001 From: David S. Miller Date: Mon, 18 Sep 2006 01:47:13 -0700 Subject: [OPENPROMIO]: Handle current_node being NULL correctly. If the user tries to traverse to the next node of the last node, we get NULL in current_node and a zero phandle returned. That's fine, but if the user tries to obtain properties in that state, we try to dereference a NULL pointer in the downcall to the of_*() routines. So protect against that. Signed-off-by: David S. Miller --- drivers/sbus/char/openprom.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c index 293bb2fdb1d5..2f698763ba5d 100644 --- a/drivers/sbus/char/openprom.c +++ b/drivers/sbus/char/openprom.c @@ -145,8 +145,9 @@ static int opromgetprop(void __user *argp, struct device_node *dp, struct openpr void *pval; int len; - pval = of_get_property(dp, op->oprom_array, &len); - if (!pval || len <= 0 || len > bufsize) + if (!dp || + !(pval = of_get_property(dp, op->oprom_array, &len)) || + len <= 0 || len > bufsize) return copyout(argp, op, sizeof(int)); memcpy(op->oprom_array, pval, len); @@ -161,6 +162,8 @@ static int opromnxtprop(void __user *argp, struct device_node *dp, struct openpr struct property *prop; int len; + if (!dp) + return copyout(argp, op, sizeof(int)); if (op->oprom_array[0] == '\0') { prop = dp->properties; if (!prop) @@ -266,9 +269,13 @@ static int oprompci2node(void __user *argp, struct device_node *dp, struct openp static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data) { + phandle ph = 0; + dp = of_find_node_by_path(op->oprom_array); + if (dp) + ph = dp->node; data->current_node = dp; - *((int *)op->oprom_array) = dp->node; + *((int *)op->oprom_array) = ph; op->oprom_size = sizeof(int); return copyout(argp, op, bufsize + sizeof(int)); -- cgit v1.2.3-55-g7522 From b9c54f91a48146778fe91423d4d467a0ee8c719b Mon Sep 17 00:00:00 2001 From: Andy Walker Date: Mon, 18 Sep 2006 07:11:36 -0700 Subject: [SPARC]: Fix regression in sys_getdomainname() This patch corrects the buffer length checking in the sys_getdomainname() implementation for sparc/sparc64. Signed-off-by: Andy Walker Signed-off-by: David S. Miller --- arch/sparc/kernel/sys_sparc.c | 10 ++++++---- arch/sparc64/kernel/sys_sparc.c | 10 ++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/arch/sparc/kernel/sys_sparc.c b/arch/sparc/kernel/sys_sparc.c index 94ff58c9d4a9..896863fb208a 100644 --- a/arch/sparc/kernel/sys_sparc.c +++ b/arch/sparc/kernel/sys_sparc.c @@ -470,19 +470,21 @@ asmlinkage int sys_getdomainname(char __user *name, int len) { int nlen, err; - if (len < 0 || len > __NEW_UTS_LEN) + if (len < 0) return -EINVAL; down_read(&uts_sem); nlen = strlen(system_utsname.domainname) + 1; - if (nlen < len) - len = nlen; + err = -EINVAL; + if (nlen > len) + goto out; err = -EFAULT; - if (!copy_to_user(name, system_utsname.domainname, len)) + if (!copy_to_user(name, system_utsname.domainname, nlen)) err = 0; +out: up_read(&uts_sem); return err; } diff --git a/arch/sparc64/kernel/sys_sparc.c b/arch/sparc64/kernel/sys_sparc.c index bf5f14ee73de..c608c947e6c3 100644 --- a/arch/sparc64/kernel/sys_sparc.c +++ b/arch/sparc64/kernel/sys_sparc.c @@ -707,19 +707,21 @@ asmlinkage long sys_getdomainname(char __user *name, int len) { int nlen, err; - if (len < 0 || len > __NEW_UTS_LEN) + if (len < 0) return -EINVAL; down_read(&uts_sem); nlen = strlen(system_utsname.domainname) + 1; - if (nlen < len) - len = nlen; + err = -EINVAL; + if (nlen > len) + goto out; err = -EFAULT; - if (!copy_to_user(name, system_utsname.domainname, len)) + if (!copy_to_user(name, system_utsname.domainname, nlen)) err = 0; +out: up_read(&uts_sem); return err; } -- cgit v1.2.3-55-g7522