Commit 6e950fd2 authored by Samuel Ortiz's avatar Samuel Ortiz

NFC: Copy user space buffer when sending UI frames

Using the userspace IO vector directly is wrong, we should copy it from
user space first.
Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
parent 08eaa1e0
...@@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, ...@@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
struct sk_buff *pdu; struct sk_buff *pdu;
struct nfc_llcp_local *local; struct nfc_llcp_local *local;
size_t frag_len = 0, remaining_len; size_t frag_len = 0, remaining_len;
u8 *msg_ptr; u8 *msg_ptr, *msg_data;
int err; int err;
pr_debug("Send UI frame len %zd\n", len); pr_debug("Send UI frame len %zd\n", len);
...@@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, ...@@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
if (local == NULL) if (local == NULL)
return -ENODEV; return -ENODEV;
msg_data = kzalloc(len, GFP_KERNEL);
if (msg_data == NULL)
return -ENOMEM;
if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) {
kfree(msg_data);
return -EFAULT;
}
remaining_len = len; remaining_len = len;
msg_ptr = (u8 *) msg->msg_iov; msg_ptr = msg_data;
while (remaining_len > 0) { while (remaining_len > 0) {
...@@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, ...@@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
msg_ptr += frag_len; msg_ptr += frag_len;
} }
kfree(msg_data);
return len; return len;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment