drivers/isdn/*.c

	- fix copy_{to,from}_user error handling (thanks to Rusty for pointing this out)
parent 3e12a6dc
...@@ -283,16 +283,18 @@ act2000_command(act2000_card * card, isdn_ctrl * c) ...@@ -283,16 +283,18 @@ act2000_command(act2000_card * card, isdn_ctrl * c)
actcapi_manufacturer_req_net(card); actcapi_manufacturer_req_net(card);
return 0; return 0;
case ACT2000_IOCTL_SETMSN: case ACT2000_IOCTL_SETMSN:
if ((ret = copy_from_user(tmp, (char *)a, sizeof(tmp)))) if (copy_from_user(tmp, (char *)a,
return ret; sizeof(tmp)))
return -EFAULT;
if ((ret = act2000_set_msn(card, tmp))) if ((ret = act2000_set_msn(card, tmp)))
return ret; return ret;
if (card->flags & ACT2000_FLAGS_RUNNING) if (card->flags & ACT2000_FLAGS_RUNNING)
return(actcapi_manufacturer_req_msn(card)); return(actcapi_manufacturer_req_msn(card));
return 0; return 0;
case ACT2000_IOCTL_ADDCARD: case ACT2000_IOCTL_ADDCARD:
if ((ret = copy_from_user(&cdef, (char *)a, sizeof(cdef)))) if (copy_from_user(&cdef, (char *)a,
return ret; sizeof(cdef)))
return -EFAULT;
if (act2000_addcard(cdef.bus, cdef.port, cdef.irq, cdef.id)) if (act2000_addcard(cdef.bus, cdef.port, cdef.irq, cdef.id))
return -EIO; return -EIO;
return 0; return 0;
......
...@@ -673,10 +673,9 @@ capi_read(struct file *file, char *buf, size_t count, loff_t *ppos) ...@@ -673,10 +673,9 @@ capi_read(struct file *file, char *buf, size_t count, loff_t *ppos)
skb_queue_head(&cdev->recvqueue, skb); skb_queue_head(&cdev->recvqueue, skb);
return -EMSGSIZE; return -EMSGSIZE;
} }
retval = copy_to_user(buf, skb->data, skb->len); if (copy_to_user(buf, skb->data, skb->len)) {
if (retval) {
skb_queue_head(&cdev->recvqueue, skb); skb_queue_head(&cdev->recvqueue, skb);
return retval; return -EFAULT;
} }
copied = skb->len; copied = skb->len;
...@@ -703,7 +702,7 @@ capi_write(struct file *file, const char *buf, size_t count, loff_t *ppos) ...@@ -703,7 +702,7 @@ capi_write(struct file *file, const char *buf, size_t count, loff_t *ppos)
if (!skb) if (!skb)
return -ENOMEM; return -ENOMEM;
if ((retval = copy_from_user(skb_put(skb, count), buf, count))) { if (copy_from_user(skb_put(skb, count), buf, count)) {
kfree_skb(skb); kfree_skb(skb);
return -EFAULT; return -EFAULT;
} }
...@@ -782,45 +781,36 @@ capi_ioctl(struct inode *inode, struct file *file, ...@@ -782,45 +781,36 @@ capi_ioctl(struct inode *inode, struct file *file,
case CAPI_GET_VERSION: case CAPI_GET_VERSION:
{ {
retval = copy_from_user((void *) &data.contr, if (copy_from_user((void *) &data.contr,
(void *) arg, (void *) arg,
sizeof(data.contr)); sizeof(data.contr)))
if (retval)
return -EFAULT; return -EFAULT;
cdev->errcode = capi20_get_version(data.contr, &data.version); cdev->errcode = capi20_get_version(data.contr, &data.version);
if (cdev->errcode) if (cdev->errcode)
return -EIO; return -EIO;
retval = copy_to_user((void *) arg, if (copy_to_user((void *)arg, (void *)&data.version,
(void *) &data.version, sizeof(data.version)))
sizeof(data.version));
if (retval)
return -EFAULT; return -EFAULT;
} }
return 0; return 0;
case CAPI_GET_SERIAL: case CAPI_GET_SERIAL:
{ {
retval = copy_from_user((void *) &data.contr, if (copy_from_user((void *)&data.contr, (void *)arg,
(void *) arg, sizeof(data.contr)))
sizeof(data.contr));
if (retval)
return -EFAULT; return -EFAULT;
cdev->errcode = capi20_get_serial (data.contr, data.serial); cdev->errcode = capi20_get_serial (data.contr, data.serial);
if (cdev->errcode) if (cdev->errcode)
return -EIO; return -EIO;
retval = copy_to_user((void *) arg, if (copy_to_user((void *)arg, (void *)data.serial,
(void *) data.serial, sizeof(data.serial)))
sizeof(data.serial));
if (retval)
return -EFAULT; return -EFAULT;
} }
return 0; return 0;
case CAPI_GET_PROFILE: case CAPI_GET_PROFILE:
{ {
retval = copy_from_user((void *) &data.contr, if (copy_from_user((void *)&data.contr, (void *)arg,
(void *) arg, sizeof(data.contr)))
sizeof(data.contr));
if (retval)
return -EFAULT; return -EFAULT;
if (data.contr == 0) { if (data.contr == 0) {
...@@ -848,18 +838,15 @@ capi_ioctl(struct inode *inode, struct file *file, ...@@ -848,18 +838,15 @@ capi_ioctl(struct inode *inode, struct file *file,
case CAPI_GET_MANUFACTURER: case CAPI_GET_MANUFACTURER:
{ {
retval = copy_from_user((void *) &data.contr, if (copy_from_user((void *)&data.contr, (void *)arg,
(void *) arg, sizeof(data.contr)))
sizeof(data.contr));
if (retval)
return -EFAULT; return -EFAULT;
cdev->errcode = capi20_get_manufacturer(data.contr, data.manufacturer); cdev->errcode = capi20_get_manufacturer(data.contr, data.manufacturer);
if (cdev->errcode) if (cdev->errcode)
return -EIO; return -EIO;
retval = copy_to_user((void *) arg, (void *) data.manufacturer, if (copy_to_user((void *)arg, (void *)data.manufacturer,
sizeof(data.manufacturer)); sizeof(data.manufacturer)))
if (retval)
return -EFAULT; return -EFAULT;
} }
...@@ -868,10 +855,8 @@ capi_ioctl(struct inode *inode, struct file *file, ...@@ -868,10 +855,8 @@ capi_ioctl(struct inode *inode, struct file *file,
data.errcode = cdev->errcode; data.errcode = cdev->errcode;
cdev->errcode = CAPI_NOERROR; cdev->errcode = CAPI_NOERROR;
if (arg) { if (arg) {
retval = copy_to_user((void *) arg, if (copy_to_user((void *)arg, (void *)&data.errcode,
(void *) &data.errcode, sizeof(data.errcode)))
sizeof(data.errcode));
if (retval)
return -EFAULT; return -EFAULT;
} }
return data.errcode; return data.errcode;
...@@ -886,9 +871,8 @@ capi_ioctl(struct inode *inode, struct file *file, ...@@ -886,9 +871,8 @@ capi_ioctl(struct inode *inode, struct file *file,
struct capi_manufacturer_cmd mcmd; struct capi_manufacturer_cmd mcmd;
if (!capable(CAP_SYS_ADMIN)) if (!capable(CAP_SYS_ADMIN))
return -EPERM; return -EPERM;
retval = copy_from_user((void *) &mcmd, (void *) arg, if (copy_from_user((void *)&mcmd, (void *)arg,
sizeof(mcmd)); sizeof(mcmd)))
if (retval)
return -EFAULT; return -EFAULT;
return capi20_manufacturer(mcmd.cmd, mcmd.data); return capi20_manufacturer(mcmd.cmd, mcmd.data);
} }
...@@ -898,10 +882,8 @@ capi_ioctl(struct inode *inode, struct file *file, ...@@ -898,10 +882,8 @@ capi_ioctl(struct inode *inode, struct file *file,
case CAPI_CLR_FLAGS: case CAPI_CLR_FLAGS:
{ {
unsigned userflags; unsigned userflags;
retval = copy_from_user((void *) &userflags, if (copy_from_user((void *)&userflags, (void *)arg,
(void *) arg, sizeof(userflags)))
sizeof(userflags));
if (retval)
return -EFAULT; return -EFAULT;
if (cmd == CAPI_SET_FLAGS) if (cmd == CAPI_SET_FLAGS)
cdev->userflags |= userflags; cdev->userflags |= userflags;
...@@ -911,13 +893,9 @@ capi_ioctl(struct inode *inode, struct file *file, ...@@ -911,13 +893,9 @@ capi_ioctl(struct inode *inode, struct file *file,
return 0; return 0;
case CAPI_GET_FLAGS: case CAPI_GET_FLAGS:
{ if (copy_to_user((void *)arg, (void *)&cdev->userflags,
retval = copy_to_user((void *) arg, sizeof(cdev->userflags)))
(void *) &cdev->userflags,
sizeof(cdev->userflags));
if (retval)
return -EFAULT; return -EFAULT;
}
return 0; return 0;
case CAPI_NCCI_OPENCOUNT: case CAPI_NCCI_OPENCOUNT:
...@@ -928,10 +906,8 @@ capi_ioctl(struct inode *inode, struct file *file, ...@@ -928,10 +906,8 @@ capi_ioctl(struct inode *inode, struct file *file,
#endif /* CONFIG_ISDN_CAPI_MIDDLEWARE */ #endif /* CONFIG_ISDN_CAPI_MIDDLEWARE */
unsigned ncci; unsigned ncci;
int count = 0; int count = 0;
retval = copy_from_user((void *) &ncci, if (copy_from_user((void *)&ncci, (void *)arg,
(void *) arg, sizeof(ncci)))
sizeof(ncci));
if (retval)
return -EFAULT; return -EFAULT;
nccip = capincci_find(cdev, (u32) ncci); nccip = capincci_find(cdev, (u32) ncci);
if (!nccip) if (!nccip)
...@@ -951,10 +927,8 @@ capi_ioctl(struct inode *inode, struct file *file, ...@@ -951,10 +927,8 @@ capi_ioctl(struct inode *inode, struct file *file,
struct capincci *nccip; struct capincci *nccip;
struct capiminor *mp; struct capiminor *mp;
unsigned ncci; unsigned ncci;
retval = copy_from_user((void *) &ncci, if (copy_from_user((void *)&ncci, (void *)arg,
(void *) arg, sizeof(ncci)))
sizeof(ncci));
if (retval)
return -EFAULT; return -EFAULT;
nccip = capincci_find(cdev, (u32) ncci); nccip = capincci_find(cdev, (u32) ncci);
if (!nccip || (mp = nccip->minorp) == 0) if (!nccip || (mp = nccip->minorp) == 0)
......
...@@ -1060,15 +1060,15 @@ static int old_capi_manufacturer(unsigned int cmd, void *data) ...@@ -1060,15 +1060,15 @@ static int old_capi_manufacturer(unsigned int cmd, void *data)
case AVMB1_LOAD_AND_CONFIG: case AVMB1_LOAD_AND_CONFIG:
if (cmd == AVMB1_LOAD) { if (cmd == AVMB1_LOAD) {
if ((retval = copy_from_user((void *) &ldef, data, if (copy_from_user((void *)&ldef, data,
sizeof(avmb1_loaddef)))) sizeof(avmb1_loaddef)))
return retval; return -EFAULT;
ldef.t4config.len = 0; ldef.t4config.len = 0;
ldef.t4config.data = 0; ldef.t4config.data = 0;
} else { } else {
if ((retval = copy_from_user((void *) &ldef, data, if (copy_from_user((void *)&ldef, data,
sizeof(avmb1_loadandconfigdef)))) sizeof(avmb1_loadandconfigdef)))
return retval; return -EFAULT;
} }
card = get_capi_ctr_by_nr(ldef.contr); card = get_capi_ctr_by_nr(ldef.contr);
card = capi_ctr_get(card); card = capi_ctr_get(card);
...@@ -1123,9 +1123,8 @@ static int old_capi_manufacturer(unsigned int cmd, void *data) ...@@ -1123,9 +1123,8 @@ static int old_capi_manufacturer(unsigned int cmd, void *data)
return 0; return 0;
case AVMB1_RESETCARD: case AVMB1_RESETCARD:
if ((retval = copy_from_user((void *) &rdef, data, if (copy_from_user((void *)&rdef, data, sizeof(avmb1_resetdef)))
sizeof(avmb1_resetdef)))) return -EFAULT;
return retval;
card = get_capi_ctr_by_nr(rdef.contr); card = get_capi_ctr_by_nr(rdef.contr);
if (!card) if (!card)
return -ESRCH; return -ESRCH;
...@@ -1146,9 +1145,8 @@ static int old_capi_manufacturer(unsigned int cmd, void *data) ...@@ -1146,9 +1145,8 @@ static int old_capi_manufacturer(unsigned int cmd, void *data)
return 0; return 0;
case AVMB1_GET_CARDINFO: case AVMB1_GET_CARDINFO:
if ((retval = copy_from_user((void *) &gdef, data, if (copy_from_user((void *)&gdef, data, sizeof(avmb1_getdef)))
sizeof(avmb1_getdef)))) return -EFAULT;
return retval;
card = get_capi_ctr_by_nr(gdef.contr); card = get_capi_ctr_by_nr(gdef.contr);
if (!card) if (!card)
...@@ -1159,9 +1157,8 @@ static int old_capi_manufacturer(unsigned int cmd, void *data) ...@@ -1159,9 +1157,8 @@ static int old_capi_manufacturer(unsigned int cmd, void *data)
gdef.cardtype = AVM_CARDTYPE_T1; gdef.cardtype = AVM_CARDTYPE_T1;
else gdef.cardtype = AVM_CARDTYPE_B1; else gdef.cardtype = AVM_CARDTYPE_B1;
if ((retval = copy_to_user(data, (void *) &gdef, if (copy_to_user(data, (void *)&gdef, sizeof(avmb1_getdef)))
sizeof(avmb1_getdef)))) return -EFAULT;
return retval;
return 0; return 0;
} }
...@@ -1187,9 +1184,8 @@ int capi20_manufacturer(unsigned int cmd, void *data) ...@@ -1187,9 +1184,8 @@ int capi20_manufacturer(unsigned int cmd, void *data)
{ {
kcapi_flagdef fdef; kcapi_flagdef fdef;
if ((retval = copy_from_user((void *) &fdef, data, if (copy_from_user((void *)&fdef, data, sizeof(kcapi_flagdef)))
sizeof(kcapi_flagdef)))) return -EFAULT;
return retval;
card = get_capi_ctr_by_nr(fdef.contr); card = get_capi_ctr_by_nr(fdef.contr);
if (!card) if (!card)
......
...@@ -185,8 +185,8 @@ isdn_divert_ioctl(struct inode *inode, struct file *file, ...@@ -185,8 +185,8 @@ isdn_divert_ioctl(struct inode *inode, struct file *file,
divert_rule *rulep; divert_rule *rulep;
char *cp; char *cp;
if ((i = copy_from_user(&dioctl, (char *) arg, sizeof(dioctl)))) if (copy_from_user(&dioctl, (char *) arg, sizeof(dioctl)))
return (i); return -EFAULT;
switch (cmd) { switch (cmd) {
case IIOCGETVER: case IIOCGETVER:
...@@ -254,7 +254,7 @@ isdn_divert_ioctl(struct inode *inode, struct file *file, ...@@ -254,7 +254,7 @@ isdn_divert_ioctl(struct inode *inode, struct file *file,
default: default:
return (-EINVAL); return (-EINVAL);
} /* switch cmd */ } /* switch cmd */
return (copy_to_user((char *) arg, &dioctl, sizeof(dioctl))); /* success */ return copy_to_user((char *)arg, &dioctl, sizeof(dioctl)) ? -EFAULT : 0;
} /* isdn_divert_ioctl */ } /* isdn_divert_ioctl */
......
...@@ -213,7 +213,10 @@ eicon_command(eicon_card * card, isdn_ctrl * c) ...@@ -213,7 +213,10 @@ eicon_command(eicon_card * card, isdn_ctrl * c)
return(EICON_CTRL_VERSION); return(EICON_CTRL_VERSION);
case EICON_IOCTL_GETTYPE: case EICON_IOCTL_GETTYPE:
if (card->bus == EICON_BUS_PCI) { if (card->bus == EICON_BUS_PCI) {
copy_to_user((char *)a, &card->hwif.pci.master, sizeof(int)); if (copy_to_user((char *)a,
&card->hwif.pci.master,
sizeof(int)))
return -EFAULT;
} }
return(card->type); return(card->type);
case EICON_IOCTL_GETMMIO: case EICON_IOCTL_GETMMIO:
...@@ -351,7 +354,8 @@ eicon_command(eicon_card * card, isdn_ctrl * c) ...@@ -351,7 +354,8 @@ eicon_command(eicon_card * card, isdn_ctrl * c)
return -ENODEV; return -ENODEV;
case EICON_IOCTL_ADDCARD: case EICON_IOCTL_ADDCARD:
if ((ret = copy_from_user(&cdef, (char *)a, sizeof(cdef)))) if (copy_from_user(&cdef, (char *)a,
sizeof(cdef)))
return -EFAULT; return -EFAULT;
if (!(eicon_addcard(0, cdef.membase, cdef.irq, cdef.id, 0))) if (!(eicon_addcard(0, cdef.membase, cdef.irq, cdef.id, 0)))
return -EIO; return -EIO;
...@@ -376,8 +380,9 @@ eicon_command(eicon_card * card, isdn_ctrl * c) ...@@ -376,8 +380,9 @@ eicon_command(eicon_card * card, isdn_ctrl * c)
#ifdef CONFIG_ISDN_DRV_EICON_PCI #ifdef CONFIG_ISDN_DRV_EICON_PCI
if (c->arg < EICON_IOCTL_DIA_OFFSET) if (c->arg < EICON_IOCTL_DIA_OFFSET)
return -EINVAL; return -EINVAL;
if (copy_from_user(&dstart, (char *)a, sizeof(dstart))) if (copy_from_user(&dstart, (char *)a,
return -1; sizeof(dstart)))
return -EFAULT;
if (!(card = eicon_findnpcicard(dstart.card_id))) if (!(card = eicon_findnpcicard(dstart.card_id)))
return -EINVAL; return -EINVAL;
ret = do_ioctl(NULL, NULL, ret = do_ioctl(NULL, NULL,
...@@ -667,7 +672,8 @@ if_readstatus(u_char * buf, int len, int user, int id, int channel) ...@@ -667,7 +672,8 @@ if_readstatus(u_char * buf, int len, int user, int id, int channel)
if (user) { if (user) {
spin_unlock_irqrestore(&eicon_lock, flags); spin_unlock_irqrestore(&eicon_lock, flags);
copy_to_user(p, skb->data, cnt); if (copy_to_user(p, skb->data, cnt))
return -EFAULT;
spin_lock_irqsave(&eicon_lock, flags); spin_lock_irqsave(&eicon_lock, flags);
} }
else else
......
...@@ -166,15 +166,14 @@ int b1_load_t4file(avmcard *card, capiloaddatapart * t4file) ...@@ -166,15 +166,14 @@ int b1_load_t4file(avmcard *card, capiloaddatapart * t4file)
{ {
unsigned char buf[256]; unsigned char buf[256];
unsigned char *dp; unsigned char *dp;
int i, left, retval; int i, left;
unsigned int base = card->port; unsigned int base = card->port;
dp = t4file->data; dp = t4file->data;
left = t4file->len; left = t4file->len;
while (left > sizeof(buf)) { while (left > sizeof(buf)) {
if (t4file->user) { if (t4file->user) {
retval = copy_from_user(buf, dp, sizeof(buf)); if (copy_from_user(buf, dp, sizeof(buf)))
if (retval)
return -EFAULT; return -EFAULT;
} else { } else {
memcpy(buf, dp, sizeof(buf)); memcpy(buf, dp, sizeof(buf));
...@@ -190,8 +189,7 @@ int b1_load_t4file(avmcard *card, capiloaddatapart * t4file) ...@@ -190,8 +189,7 @@ int b1_load_t4file(avmcard *card, capiloaddatapart * t4file)
} }
if (left) { if (left) {
if (t4file->user) { if (t4file->user) {
retval = copy_from_user(buf, dp, left); if (copy_from_user(buf, dp, left))
if (retval)
return -EFAULT; return -EFAULT;
} else { } else {
memcpy(buf, dp, left); memcpy(buf, dp, left);
...@@ -211,7 +209,7 @@ int b1_load_config(avmcard *card, capiloaddatapart * config) ...@@ -211,7 +209,7 @@ int b1_load_config(avmcard *card, capiloaddatapart * config)
unsigned char buf[256]; unsigned char buf[256];
unsigned char *dp; unsigned char *dp;
unsigned int base = card->port; unsigned int base = card->port;
int i, j, left, retval; int i, j, left;
dp = config->data; dp = config->data;
left = config->len; left = config->len;
...@@ -223,8 +221,7 @@ int b1_load_config(avmcard *card, capiloaddatapart * config) ...@@ -223,8 +221,7 @@ int b1_load_config(avmcard *card, capiloaddatapart * config)
} }
while (left > sizeof(buf)) { while (left > sizeof(buf)) {
if (config->user) { if (config->user) {
retval = copy_from_user(buf, dp, sizeof(buf)); if (copy_from_user(buf, dp, sizeof(buf)))
if (retval)
return -EFAULT; return -EFAULT;
} else { } else {
memcpy(buf, dp, sizeof(buf)); memcpy(buf, dp, sizeof(buf));
...@@ -240,8 +237,7 @@ int b1_load_config(avmcard *card, capiloaddatapart * config) ...@@ -240,8 +237,7 @@ int b1_load_config(avmcard *card, capiloaddatapart * config)
} }
if (left) { if (left) {
if (config->user) { if (config->user) {
retval = copy_from_user(buf, dp, left); if (copy_from_user(buf, dp, left))
if (retval)
return -EFAULT; return -EFAULT;
} else { } else {
memcpy(buf, dp, left); memcpy(buf, dp, left);
......
...@@ -191,15 +191,14 @@ static int c4_load_t4file(avmcard *card, capiloaddatapart * t4file) ...@@ -191,15 +191,14 @@ static int c4_load_t4file(avmcard *card, capiloaddatapart * t4file)
{ {
u32 val; u32 val;
unsigned char *dp; unsigned char *dp;
int left, retval; int left;
u32 loadoff = 0; u32 loadoff = 0;
dp = t4file->data; dp = t4file->data;
left = t4file->len; left = t4file->len;
while (left >= sizeof(u32)) { while (left >= sizeof(u32)) {
if (t4file->user) { if (t4file->user) {
retval = copy_from_user(&val, dp, sizeof(val)); if (copy_from_user(&val, dp, sizeof(val)))
if (retval)
return -EFAULT; return -EFAULT;
} else { } else {
memcpy(&val, dp, sizeof(val)); memcpy(&val, dp, sizeof(val));
...@@ -216,8 +215,7 @@ static int c4_load_t4file(avmcard *card, capiloaddatapart * t4file) ...@@ -216,8 +215,7 @@ static int c4_load_t4file(avmcard *card, capiloaddatapart * t4file)
if (left) { if (left) {
val = 0; val = 0;
if (t4file->user) { if (t4file->user) {
retval = copy_from_user(&val, dp, left); if (copy_from_user(&val, dp, left))
if (retval)
return -EFAULT; return -EFAULT;
} else { } else {
memcpy(&val, dp, left); memcpy(&val, dp, left);
...@@ -808,8 +806,7 @@ static int c4_send_config(avmcard *card, capiloaddatapart * config) ...@@ -808,8 +806,7 @@ static int c4_send_config(avmcard *card, capiloaddatapart * config)
left = config->len; left = config->len;
while (left >= sizeof(u32)) { while (left >= sizeof(u32)) {
if (config->user) { if (config->user) {
retval = copy_from_user(val, dp, sizeof(val)); if (copy_from_user(val, dp, sizeof(val)))
if (retval)
return -EFAULT; return -EFAULT;
} else { } else {
memcpy(val, dp, sizeof(val)); memcpy(val, dp, sizeof(val));
...@@ -822,8 +819,7 @@ static int c4_send_config(avmcard *card, capiloaddatapart * config) ...@@ -822,8 +819,7 @@ static int c4_send_config(avmcard *card, capiloaddatapart * config)
if (left) { if (left) {
memset(val, 0, sizeof(val)); memset(val, 0, sizeof(val));
if (config->user) { if (config->user) {
retval = copy_from_user(&val, dp, left); if (copy_from_user(&val, dp, left))
if (retval)
return -EFAULT; return -EFAULT;
} else { } else {
memcpy(&val, dp, left); memcpy(&val, dp, left);
......
...@@ -641,9 +641,10 @@ int HiSax_readstatus(u_char * buf, int len, int user, int id, int channel) ...@@ -641,9 +641,10 @@ int HiSax_readstatus(u_char * buf, int len, int user, int id, int channel)
count = cs->status_end - cs->status_read + 1; count = cs->status_end - cs->status_read + 1;
if (count >= len) if (count >= len)
count = len; count = len;
if (user) if (user) {
copy_to_user(p, cs->status_read, count); if (copy_to_user(p, cs->status_read, count))
else return -EFAULT;
} else
memcpy(p, cs->status_read, count); memcpy(p, cs->status_read, count);
cs->status_read += count; cs->status_read += count;
if (cs->status_read > cs->status_end) if (cs->status_read > cs->status_end)
...@@ -655,9 +656,10 @@ int HiSax_readstatus(u_char * buf, int len, int user, int id, int channel) ...@@ -655,9 +656,10 @@ int HiSax_readstatus(u_char * buf, int len, int user, int id, int channel)
cnt = HISAX_STATUS_BUFSIZE; cnt = HISAX_STATUS_BUFSIZE;
else else
cnt = count; cnt = count;
if (user) if (user) {
copy_to_user(p, cs->status_read, cnt); if (copy_to_user(p, cs->status_read, cnt))
else return -EFAULT;
} else
memcpy(p, cs->status_read, cnt); memcpy(p, cs->status_read, cnt);
p += cnt; p += cnt;
cs->status_read += cnt % HISAX_STATUS_BUFSIZE; cs->status_read += cnt % HISAX_STATUS_BUFSIZE;
......
...@@ -217,7 +217,7 @@ isar_load_firmware(struct IsdnCardState *cs, u_char *buf) ...@@ -217,7 +217,7 @@ isar_load_firmware(struct IsdnCardState *cs, u_char *buf)
} }
if ((ret = copy_from_user(&size, p, sizeof(int)))) { if ((ret = copy_from_user(&size, p, sizeof(int)))) {
printk(KERN_ERR"isar_load_firmware copy_from_user ret %d\n", ret); printk(KERN_ERR"isar_load_firmware copy_from_user ret %d\n", ret);
return ret; return -EFAULT;
} }
p += sizeof(int); p += sizeof(int);
printk(KERN_DEBUG"isar_load_firmware size: %d\n", size); printk(KERN_DEBUG"isar_load_firmware size: %d\n", size);
...@@ -240,6 +240,7 @@ isar_load_firmware(struct IsdnCardState *cs, u_char *buf) ...@@ -240,6 +240,7 @@ isar_load_firmware(struct IsdnCardState *cs, u_char *buf)
while (cnt < size) { while (cnt < size) {
if ((ret = copy_from_user(&blk_head, p, BLK_HEAD_SIZE))) { if ((ret = copy_from_user(&blk_head, p, BLK_HEAD_SIZE))) {
printk(KERN_ERR"isar_load_firmware copy_from_user ret %d\n", ret); printk(KERN_ERR"isar_load_firmware copy_from_user ret %d\n", ret);
ret = -EFAULT;
goto reterror; goto reterror;
} }
#ifdef __BIG_ENDIAN #ifdef __BIG_ENDIAN
...@@ -282,6 +283,7 @@ isar_load_firmware(struct IsdnCardState *cs, u_char *buf) ...@@ -282,6 +283,7 @@ isar_load_firmware(struct IsdnCardState *cs, u_char *buf)
*mp++ = noc; *mp++ = noc;
if ((ret = copy_from_user(tmpmsg, p, nom))) { if ((ret = copy_from_user(tmpmsg, p, nom))) {
printk(KERN_ERR"isar_load_firmware copy_from_user ret %d\n", ret); printk(KERN_ERR"isar_load_firmware copy_from_user ret %d\n", ret);
ret = -EFAULT;
goto reterror; goto reterror;
} }
p += nom; p += nom;
......
...@@ -731,7 +731,11 @@ isdn_ppp_read(struct file *file, char *buf, size_t count, loff_t *off) ...@@ -731,7 +731,11 @@ isdn_ppp_read(struct file *file, char *buf, size_t count, loff_t *off)
restore_flags(flags); restore_flags(flags);
copy_to_user(buf, save_buf, count); if (copy_to_user(buf, save_buf, count)) {
kfree(save_buf);
retval = -EFAULT;
goto out;
}
kfree(save_buf); kfree(save_buf);
retval = count; retval = count;
......
...@@ -1202,9 +1202,12 @@ isdn_tty_write(struct tty_struct *tty, int from_user, const u_char * buf, int co ...@@ -1202,9 +1202,12 @@ isdn_tty_write(struct tty_struct *tty, int from_user, const u_char * buf, int co
&(m->pluscount), &(m->pluscount),
&(m->lastplus), &(m->lastplus),
from_user); from_user);
if (from_user) if (from_user) {
copy_from_user(&(info->xmit_buf[info->xmit_count]), buf, c); if (copy_from_user(&(info->xmit_buf[info->xmit_count]), buf, c)) {
else total = -EFAULT;
goto out;
}
} else
memcpy(&(info->xmit_buf[info->xmit_count]), buf, c); memcpy(&(info->xmit_buf[info->xmit_count]), buf, c);
#ifdef CONFIG_ISDN_AUDIO #ifdef CONFIG_ISDN_AUDIO
if (info->vonline) { if (info->vonline) {
...@@ -1284,6 +1287,7 @@ isdn_tty_write(struct tty_struct *tty, int from_user, const u_char * buf, int co ...@@ -1284,6 +1287,7 @@ isdn_tty_write(struct tty_struct *tty, int from_user, const u_char * buf, int co
} }
isdn_timer_ctrl(ISDN_TIMER_MODEMXMIT, 1); isdn_timer_ctrl(ISDN_TIMER_MODEMXMIT, 1);
} }
out:
if (from_user) if (from_user)
up(&info->write_sem); up(&info->write_sem);
return total; return total;
...@@ -2589,7 +2593,8 @@ isdn_tty_check_esc(const u_char * p, u_char plus, int count, int *pluscount, ...@@ -2589,7 +2593,8 @@ isdn_tty_check_esc(const u_char * p, u_char plus, int count, int *pluscount,
*pluscount = 0; *pluscount = 0;
} }
if (from_user) { if (from_user) {
copy_from_user(cbuf, p, count); if (copy_from_user(cbuf, p, count))
return;
p = cbuf; p = cbuf;
} }
while (count > 0) { while (count > 0) {
......
...@@ -821,9 +821,9 @@ icn_loadboot(u_char * buffer, icn_card * card) ...@@ -821,9 +821,9 @@ icn_loadboot(u_char * buffer, icn_card * card)
printk(KERN_WARNING "icn: Could not allocate code buffer\n"); printk(KERN_WARNING "icn: Could not allocate code buffer\n");
return -ENOMEM; return -ENOMEM;
} }
if ((ret = copy_from_user(codebuf, buffer, ICN_CODE_STAGE1))) { if (copy_from_user(codebuf, buffer, ICN_CODE_STAGE1)) {
kfree(codebuf); kfree(codebuf);
return ret; return -EFAULT;
} }
if (!card->rvalid) { if (!card->rvalid) {
if (check_region(card->port, ICN_PORTLEN)) { if (check_region(card->port, ICN_PORTLEN)) {
...@@ -1057,9 +1057,10 @@ icn_writecmd(const u_char * buf, int len, int user, icn_card * card) ...@@ -1057,9 +1057,10 @@ icn_writecmd(const u_char * buf, int len, int user, icn_card * card)
count = cmd_free; count = cmd_free;
if (count > len) if (count > len)
count = len; count = len;
if (user) if (user) {
copy_from_user(msg, buf, count); if (copy_from_user(msg, buf, count))
else return -EFAULT;
} else
memcpy(msg, buf, count); memcpy(msg, buf, count);
save_flags(flags); save_flags(flags);
...@@ -1237,15 +1238,17 @@ icn_command(isdn_ctrl * c, icn_card * card) ...@@ -1237,15 +1238,17 @@ icn_command(isdn_ctrl * c, icn_card * card)
case ICN_IOCTL_GETDOUBLE: case ICN_IOCTL_GETDOUBLE:
return (int) card->doubleS0; return (int) card->doubleS0;
case ICN_IOCTL_DEBUGVAR: case ICN_IOCTL_DEBUGVAR:
if ((i = copy_to_user((char *) a, if (copy_to_user((char *)a,
(char *) &card, sizeof(ulong)))) (char *)&card,
return i; sizeof(ulong)))
return -EFAULT;
a += sizeof(ulong); a += sizeof(ulong);
{ {
ulong l = (ulong) & dev; ulong l = (ulong) & dev;
if ((i = copy_to_user((char *) a, if (copy_to_user((char *)a,
(char *) &l, sizeof(ulong)))) (char *)&l,
return i; sizeof(ulong)))
return -EFAULT;
} }
return 0; return 0;
case ICN_IOCTL_LOADBOOT: case ICN_IOCTL_LOADBOOT:
...@@ -1266,8 +1269,10 @@ icn_command(isdn_ctrl * c, icn_card * card) ...@@ -1266,8 +1269,10 @@ icn_command(isdn_ctrl * c, icn_card * card)
case ICN_IOCTL_ADDCARD: case ICN_IOCTL_ADDCARD:
if (!dev.firstload) if (!dev.firstload)
return -EBUSY; return -EBUSY;
if ((i = copy_from_user((char *) &cdef, (char *) a, sizeof(cdef)))) if (copy_from_user((char *)&cdef,
return i; (char *)a,
sizeof(cdef)))
return -EFAULT;
return (icn_addcard(cdef.port, cdef.id1, cdef.id2)); return (icn_addcard(cdef.port, cdef.id1, cdef.id2));
break; break;
case ICN_IOCTL_LEASEDCFG: case ICN_IOCTL_LEASEDCFG:
......
...@@ -986,9 +986,10 @@ isdnloop_writecmd(const u_char * buf, int len, int user, isdnloop_card * card) ...@@ -986,9 +986,10 @@ isdnloop_writecmd(const u_char * buf, int len, int user, isdnloop_card * card)
if (count > 255) if (count > 255)
count = 255; count = 255;
if (user) if (user) {
copy_from_user(msg, buf, count); if (copy_from_user(msg, buf, count))
else return -EFAULT;
} else
memcpy(msg, buf, count); memcpy(msg, buf, count);
isdnloop_putmsg(card, '>'); isdnloop_putmsg(card, '>');
for (p = msg; count > 0; count--, p++) { for (p = msg; count > 0; count--, p++) {
...@@ -1076,7 +1077,8 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) ...@@ -1076,7 +1077,8 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
if (card->flags & ISDNLOOP_FLAGS_RUNNING) if (card->flags & ISDNLOOP_FLAGS_RUNNING)
return -EBUSY; return -EBUSY;
copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef)); if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef)))
return -EFAULT;
save_flags(flags); save_flags(flags);
cli(); cli();
switch (sdef.ptype) { switch (sdef.ptype) {
...@@ -1149,9 +1151,10 @@ isdnloop_command(isdn_ctrl * c, isdnloop_card * card) ...@@ -1149,9 +1151,10 @@ isdnloop_command(isdn_ctrl * c, isdnloop_card * card)
return (isdnloop_start(card, (isdnloop_sdef *) a)); return (isdnloop_start(card, (isdnloop_sdef *) a));
break; break;
case ISDNLOOP_IOCTL_ADDCARD: case ISDNLOOP_IOCTL_ADDCARD:
if ((i = verify_area(VERIFY_READ, (void *) a, sizeof(isdnloop_cdef)))) if (copy_from_user((char *)&cdef,
return i; (char *)a,
copy_from_user((char *) &cdef, (char *) a, sizeof(cdef)); sizeof(cdef)))
return -EFAULT;
return (isdnloop_addcard(cdef.id1)); return (isdnloop_addcard(cdef.id1));
break; break;
case ISDNLOOP_IOCTL_LEASEDCFG: case ISDNLOOP_IOCTL_LEASEDCFG:
......
...@@ -126,11 +126,11 @@ int command(isdn_ctrl *cmd) ...@@ -126,11 +126,11 @@ int command(isdn_ctrl *cmd)
int err; int err;
memcpy(&cmdptr, cmd->parm.num, sizeof(unsigned long)); memcpy(&cmdptr, cmd->parm.num, sizeof(unsigned long));
if((err = copy_from_user(&ioc, (scs_ioctl *) cmdptr, if (copy_from_user(&ioc, (scs_ioctl *)cmdptr,
sizeof(scs_ioctl)))) { sizeof(scs_ioctl))) {
pr_debug("%s: Failed to verify user space 0x%x\n", pr_debug("%s: Failed to verify user space 0x%x\n",
adapter[card]->devicename, cmdptr); adapter[card]->devicename, cmdptr);
return err; return -EFAULT;
} }
return sc_ioctl(card, &ioc); return sc_ioctl(card, &ioc);
} }
......
...@@ -55,8 +55,8 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -55,8 +55,8 @@ int sc_ioctl(int card, scs_ioctl *data)
/* /*
* Get the SRec from user space * Get the SRec from user space
*/ */
if ((err = copy_from_user(srec, (char *) data->dataptr, sizeof(srec)))) if (copy_from_user(srec, (char *) data->dataptr, sizeof(srec)))
return err; return -EFAULT;
status = send_and_receive(card, CMPID, cmReqType2, cmReqClass0, cmReqLoadProc, status = send_and_receive(card, CMPID, cmReqType2, cmReqClass0, cmReqLoadProc,
0, sizeof(srec), srec, &rcvmsg, SAR_TIMEOUT); 0, sizeof(srec), srec, &rcvmsg, SAR_TIMEOUT);
...@@ -96,8 +96,9 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -96,8 +96,9 @@ int sc_ioctl(int card, scs_ioctl *data)
/* /*
* Get the switch type from user space * Get the switch type from user space
*/ */
if ((err = copy_from_user(&switchtype, (char *) data->dataptr, sizeof(char)))) if (copy_from_user(&switchtype, (char *)data->dataptr,
return err; sizeof(char)))
return -EFAULT;
pr_debug("%s: SCIOCSETSWITCH: setting switch type to %d\n", adapter[card]->devicename, pr_debug("%s: SCIOCSETSWITCH: setting switch type to %d\n", adapter[card]->devicename,
switchtype); switchtype);
...@@ -141,8 +142,9 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -141,8 +142,9 @@ int sc_ioctl(int card, scs_ioctl *data)
/* /*
* Package the switch type and send to user space * Package the switch type and send to user space
*/ */
if ((err = copy_to_user((char *) data->dataptr, &switchtype, sizeof(char)))) if (copy_to_user((char *)data->dataptr, &switchtype,
return err; sizeof(char)))
return -EFAULT;
return 0; return 0;
} }
...@@ -173,8 +175,8 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -173,8 +175,8 @@ int sc_ioctl(int card, scs_ioctl *data)
/* /*
* Package the switch type and send to user space * Package the switch type and send to user space
*/ */
if ((err = copy_to_user((char *) data->dataptr, spid, sizeof(spid)))) if (copy_to_user((char *)data->dataptr, spid, sizeof(spid)))
return err; return -EFAULT;
return 0; return 0;
} }
...@@ -190,8 +192,8 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -190,8 +192,8 @@ int sc_ioctl(int card, scs_ioctl *data)
/* /*
* Get the spid from user space * Get the spid from user space
*/ */
if ((err = copy_from_user(spid, (char *) data->dataptr, sizeof(spid)))) if (copy_from_user(spid, (char *) data->dataptr, sizeof(spid)))
return err; return -EFAULT;
pr_debug("%s: SCIOCSETSPID: setting channel %d spid to %s\n", pr_debug("%s: SCIOCSETSPID: setting channel %d spid to %s\n",
adapter[card]->devicename, data->channel, spid); adapter[card]->devicename, data->channel, spid);
...@@ -237,8 +239,8 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -237,8 +239,8 @@ int sc_ioctl(int card, scs_ioctl *data)
/* /*
* Package the dn and send to user space * Package the dn and send to user space
*/ */
if ((err = copy_to_user((char *) data->dataptr, dn, sizeof(dn)))) if (copy_to_user((char *)data->dataptr, dn, sizeof(dn)))
return err; return -EFAULT;
return 0; return 0;
} }
...@@ -254,8 +256,8 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -254,8 +256,8 @@ int sc_ioctl(int card, scs_ioctl *data)
/* /*
* Get the spid from user space * Get the spid from user space
*/ */
if ((err = copy_from_user(dn, (char *) data->dataptr, sizeof(dn)))) if (copy_from_user(dn, (char *)data->dataptr, sizeof(dn)))
return err; return -EFAULT;
pr_debug("%s: SCIOCSETDN: setting channel %d dn to %s\n", pr_debug("%s: SCIOCSETDN: setting channel %d dn to %s\n",
adapter[card]->devicename, data->channel, dn); adapter[card]->devicename, data->channel, dn);
...@@ -290,8 +292,9 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -290,8 +292,9 @@ int sc_ioctl(int card, scs_ioctl *data)
pr_debug("%s: SCIOSTAT: ioctl received\n", adapter[card]->devicename); pr_debug("%s: SCIOSTAT: ioctl received\n", adapter[card]->devicename);
GetStatus(card, &bi); GetStatus(card, &bi);
if ((err = copy_to_user((boardInfo *) data->dataptr, &bi, sizeof(boardInfo)))) if (copy_to_user((boardInfo *)data->dataptr, &bi,
return err; sizeof(boardInfo)))
return -EFAULT;
return 0; return 0;
} }
...@@ -324,8 +327,8 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -324,8 +327,8 @@ int sc_ioctl(int card, scs_ioctl *data)
/* /*
* Package the switch type and send to user space * Package the switch type and send to user space
*/ */
if ((err = copy_to_user((char *) data->dataptr, &speed, sizeof(char)))) if (copy_to_user((char *) data->dataptr, &speed, sizeof(char)))
return err; return -EFAULT;
return 0; return 0;
} }
......
...@@ -126,7 +126,6 @@ int tpam_command(isdn_ctrl *c) { ...@@ -126,7 +126,6 @@ int tpam_command(isdn_ctrl *c) {
*/ */
static int tpam_command_ioctl_dspload(tpam_card *card, u32 arg) { static int tpam_command_ioctl_dspload(tpam_card *card, u32 arg) {
tpam_dsp_ioctl tdl; tpam_dsp_ioctl tdl;
int ret;
dprintk("TurboPAM(tpam_command_ioctl_dspload): card=%d\n", card->id); dprintk("TurboPAM(tpam_command_ioctl_dspload): card=%d\n", card->id);
...@@ -141,10 +140,9 @@ static int tpam_command_ioctl_dspload(tpam_card *card, u32 arg) { ...@@ -141,10 +140,9 @@ static int tpam_command_ioctl_dspload(tpam_card *card, u32 arg) {
return -EPERM; return -EPERM;
/* write the data in the board's memory */ /* write the data in the board's memory */
ret = copy_from_user_to_pam(card, (void *)tdl.address, return copy_from_user_to_pam(card, (void *)tdl.address,
(void *)arg + sizeof(tpam_dsp_ioctl), (void *)arg + sizeof(tpam_dsp_ioctl),
tdl.data_len); tdl.data_len);
return 0;
} }
/* /*
...@@ -158,7 +156,6 @@ static int tpam_command_ioctl_dspload(tpam_card *card, u32 arg) { ...@@ -158,7 +156,6 @@ static int tpam_command_ioctl_dspload(tpam_card *card, u32 arg) {
*/ */
static int tpam_command_ioctl_dspsave(tpam_card *card, u32 arg) { static int tpam_command_ioctl_dspsave(tpam_card *card, u32 arg) {
tpam_dsp_ioctl tdl; tpam_dsp_ioctl tdl;
int ret;
dprintk("TurboPAM(tpam_command_ioctl_dspsave): card=%d\n", card->id); dprintk("TurboPAM(tpam_command_ioctl_dspsave): card=%d\n", card->id);
...@@ -171,9 +168,8 @@ static int tpam_command_ioctl_dspsave(tpam_card *card, u32 arg) { ...@@ -171,9 +168,8 @@ static int tpam_command_ioctl_dspsave(tpam_card *card, u32 arg) {
return -EPERM; return -EPERM;
/* read the data from the board's memory */ /* read the data from the board's memory */
ret = copy_from_pam_to_user(card, (void *)arg + sizeof(tpam_dsp_ioctl), return copy_from_pam_to_user(card, (void *)arg + sizeof(tpam_dsp_ioctl),
(void *)tdl.address, tdl.data_len); (void *)tdl.address, tdl.data_len);
return ret;
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment