On Mon, 8 Nov 2010 12:08:07 +0100
<[email protected]> wrote:
> Hi,
>
> >From: ext Alan Cox [mailto:[email protected]]
> >Sent: 08 November, 2010 01:52
> >
> >> + datalen = p->custom_len * sizeof(p->custom_data[0]);
> >
> >signed
> >
> >> + if (datalen > MAX_EFFECT_SIZE) {
> >
> >unsigned
>
> It should be unsigned. I'll fix it.
>
> >> + memcpy(einfo->buf, p->custom_data, datalen);
> >
> >ungood
>
> Yep, that's clearly wrong too. Should be copy_from_user() I suppose.
That I hadn't considered - and I'm not sure whether the caller is passed
a kernel copy or not. The problem I was looking at was just the signed
case
datalen < 0
if (datalen > MAX ..)
Nope
memcpy(kernel, mysource, vastly more than intended (unsigned))
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
spi-devel-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/spi-devel-general
