spi/spidev: check message size before copying

Message size needs to be checked before copying, or bad things could
happen.

Signed-off-by: Domen Puncer <domen.puncer@telargo.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Domen Puncer 2007-05-23 13:57:39 -07:00 committed by Linus Torvalds
parent b7add02d62
commit da90fa8ff6

View File

@ -168,6 +168,12 @@ static int spidev_message(struct spidev_data *spidev,
n--, k_tmp++, u_tmp++) {
k_tmp->len = u_tmp->len;
total += k_tmp->len;
if (total > bufsiz) {
status = -EMSGSIZE;
goto done;
}
if (u_tmp->rx_buf) {
k_tmp->rx_buf = buf;
if (!access_ok(VERIFY_WRITE, u_tmp->rx_buf, u_tmp->len))
@ -179,12 +185,6 @@ static int spidev_message(struct spidev_data *spidev,
u_tmp->len))
goto done;
}
total += k_tmp->len;
if (total > bufsiz) {
status = -EMSGSIZE;
goto done;
}
buf += k_tmp->len;
k_tmp->cs_change = !!u_tmp->cs_change;