Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
c981f254
cloud-kernel
项目概览
openanolis
/
cloud-kernel
1 年多 前同步成功
通知
161
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
c981f254
编写于
1月 07, 2018
作者:
A
Al Viro
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
sctp: use vmemdup_user() rather than badly open-coding memdup_user()
Signed-off-by:
N
Al Viro
<
viro@zeniv.linux.org.uk
>
上级
59aeaf3f
变更
1
显示空白变更内容
内联
并排
Showing
1 changed file
with
11 addition
and
48 deletion
+11
-48
net/sctp/socket.c
net/sctp/socket.c
+11
-48
未找到文件。
net/sctp/socket.c
浏览文件 @
c981f254
...
...
@@ -970,13 +970,6 @@ int sctp_asconf_mgmt(struct sctp_sock *sp, struct sctp_sockaddr_entry *addrw)
* This is used for tunneling the sctp_bindx() request through sctp_setsockopt()
* from userspace.
*
* We don't use copy_from_user() for optimization: we first do the
* sanity checks (buffer size -fast- and access check-healthy
* pointer); if all of those succeed, then we can alloc the memory
* (expensive operation) needed to copy the data to kernel. Then we do
* the copying without checking the user space area
* (__copy_from_user()).
*
* On exit there is no need to do sockfd_put(), sys_setsockopt() does
* it.
*
...
...
@@ -1006,25 +999,15 @@ static int sctp_setsockopt_bindx(struct sock *sk,
if
(
unlikely
(
addrs_size
<=
0
))
return
-
EINVAL
;
/* Check the user passed a healthy pointer. */
if
(
unlikely
(
!
access_ok
(
VERIFY_READ
,
addrs
,
addrs_size
)))
return
-
EFAULT
;
/* Alloc space for the address array in kernel memory. */
kaddrs
=
kmalloc
(
addrs_size
,
GFP_USER
|
__GFP_NOWARN
);
if
(
unlikely
(
!
kaddrs
))
return
-
ENOMEM
;
if
(
__copy_from_user
(
kaddrs
,
addrs
,
addrs_size
))
{
kfree
(
kaddrs
);
return
-
EFAULT
;
}
kaddrs
=
vmemdup_user
(
addrs
,
addrs_size
);
if
(
unlikely
(
IS_ERR
(
kaddrs
)))
return
PTR_ERR
(
kaddrs
);
/* Walk through the addrs buffer and count the number of addresses. */
addr_buf
=
kaddrs
;
while
(
walk_size
<
addrs_size
)
{
if
(
walk_size
+
sizeof
(
sa_family_t
)
>
addrs_size
)
{
kfree
(
kaddrs
);
k
v
free
(
kaddrs
);
return
-
EINVAL
;
}
...
...
@@ -1035,7 +1018,7 @@ static int sctp_setsockopt_bindx(struct sock *sk,
* causes the address buffer to overflow return EINVAL.
*/
if
(
!
af
||
(
walk_size
+
af
->
sockaddr_len
)
>
addrs_size
)
{
kfree
(
kaddrs
);
k
v
free
(
kaddrs
);
return
-
EINVAL
;
}
addrcnt
++
;
...
...
@@ -1065,7 +1048,7 @@ static int sctp_setsockopt_bindx(struct sock *sk,
}
out:
kfree
(
kaddrs
);
k
v
free
(
kaddrs
);
return
err
;
}
...
...
@@ -1323,13 +1306,6 @@ static int __sctp_connect(struct sock *sk,
* land and invoking either sctp_connectx(). This is used for tunneling
* the sctp_connectx() request through sctp_setsockopt() from userspace.
*
* We don't use copy_from_user() for optimization: we first do the
* sanity checks (buffer size -fast- and access check-healthy
* pointer); if all of those succeed, then we can alloc the memory
* (expensive operation) needed to copy the data to kernel. Then we do
* the copying without checking the user space area
* (__copy_from_user()).
*
* On exit there is no need to do sockfd_put(), sys_setsockopt() does
* it.
*
...
...
@@ -1345,7 +1321,6 @@ static int __sctp_setsockopt_connectx(struct sock *sk,
sctp_assoc_t
*
assoc_id
)
{
struct
sockaddr
*
kaddrs
;
gfp_t
gfp
=
GFP_KERNEL
;
int
err
=
0
;
pr_debug
(
"%s: sk:%p addrs:%p addrs_size:%d
\n
"
,
...
...
@@ -1354,24 +1329,12 @@ static int __sctp_setsockopt_connectx(struct sock *sk,
if
(
unlikely
(
addrs_size
<=
0
))
return
-
EINVAL
;
/* Check the user passed a healthy pointer. */
if
(
unlikely
(
!
access_ok
(
VERIFY_READ
,
addrs
,
addrs_size
)))
return
-
EFAULT
;
/* Alloc space for the address array in kernel memory. */
if
(
sk
->
sk_socket
->
file
)
gfp
=
GFP_USER
|
__GFP_NOWARN
;
kaddrs
=
kmalloc
(
addrs_size
,
gfp
);
if
(
unlikely
(
!
kaddrs
))
return
-
ENOMEM
;
kaddrs
=
vmemdup_user
(
addrs
,
addrs_size
);
if
(
unlikely
(
IS_ERR
(
kaddrs
)))
return
PTR_ERR
(
kaddrs
);
if
(
__copy_from_user
(
kaddrs
,
addrs
,
addrs_size
))
{
err
=
-
EFAULT
;
}
else
{
err
=
__sctp_connect
(
sk
,
kaddrs
,
addrs_size
,
assoc_id
);
}
kfree
(
kaddrs
);
kvfree
(
kaddrs
);
return
err
;
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录