NFC: Copy user space buffer when sending UI frames

Using the userspace IO vector directly is wrong, we should copy it from user space first. Signed-off-by: N Samuel Ortiz <sameo@linux.intel.com>

NFC: Copy user space buffer when sending UI frames
Using the userspace IO vector directly is wrong, we should copy it from user space first. Signed-off-by: N Samuel Ortiz <sameo@linux.intel.com>
6e950fd2 · Samuel Ortiz · 08eaa1e0 · 6e950fd2
隐藏空白更改
内联并排

Showing with 13 addition and 2 deletion

net/nfc/llcp/commands.c net/nfc/llcp/commands.c +13 -2

未找到文件。
--- a/net/nfc/llcp/commands.c
+++ b/net/nfc/llcp/commands.c
@@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 	struct sk_buff *pdu;
 	struct nfc_llcp_local *local;
 	size_t frag_len = 0, remaining_len;
-	u8 *msg_ptr;
+	u8 *msg_ptr, *msg_data;
 	int err;

 	pr_debug("Send UI frame len %zd\n", len);
@@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 	if (local == NULL)
 		return -ENODEV;

+	msg_data = kzalloc(len, GFP_KERNEL);
+	if (msg_data == NULL)
+		return -ENOMEM;
+
+	if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) {
+		kfree(msg_data);
+		return -EFAULT;
+	}
+
 	remaining_len = len;
-	msg_ptr = (u8 *) msg->msg_iov;
+	msg_ptr = msg_data;

 	while (remaining_len > 0) {

@@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 		msg_ptr += frag_len;
 	}

+	kfree(msg_data);
+
 	return len;
 }