batman-adv: bat_socket_read missing checks

Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE. Signed-off-by: Paul Kot <pawlkt@gmail.com> [sven@narfation.org: made it checkpatch clean] Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>

batman-adv: bat_socket_read missing checks
Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE. Signed-off-by: Paul Kot <pawlkt@gmail.com> [sven@narfation.org: made it checkpatch clean] Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
c00b6856 · Paul Kot · Marek Lindner · 69497c17 · c00b6856
Commit c00b6856 authored Dec 10, 2011 by Paul Kot Committed by Marek Lindner Dec 12, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

net/batman-adv/icmp_socket.c net/batman-adv/icmp_socket.c +2 -2

No files found.
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -136,8 +136,8 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
 	spin_unlock_bh(&socket_client->lock);
-	error = __copy_to_user(buf, &socket_packet->icmp_packet,
+	error = copy_to_user(buf, &socket_packet->icmp_packet,
-			       socket_packet->icmp_len);
+			     socket_packet->icmp_len);
 	packet_len = socket_packet->icmp_len;
 	kfree(socket_packet);