The patch titled
i2o: fix overflow of copy_to_user()
has been added to the -mm tree. Its filename is
i2o-fix-overflow-of-copy_to_user.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: i2o: fix overflow of copy_to_user()
From: Kulikov Vasiliy <segooon@xxxxxxxxx>
If (len > reslen) we must not call copy_to_user() since kernel buffer is
smaller than we want to copy. Similar code in this file is correct, so
this bug was a typo.
Signed-off-by: Kulikov Vasiliy <segooon@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
drivers/message/i2o/i2o_config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -puN drivers/message/i2o/i2o_config.c~i2o-fix-overflow-of-copy_to_user drivers/message/i2o/i2o_config.c
--- a/drivers/message/i2o/i2o_config.c~i2o-fix-overflow-of-copy_to_user
+++ a/drivers/message/i2o/i2o_config.c
@@ -115,7 +115,7 @@ static int i2o_cfg_gethrt(unsigned long
put_user(len, kcmd.reslen);
if (len > reslen)
ret = -ENOBUFS;
- if (copy_to_user(kcmd.resbuf, (void *)hrt, len))
+ else if (copy_to_user(kcmd.resbuf, (void *)hrt, len))
ret = -EFAULT;
return ret;
_
Patches currently in -mm which might be from segooon@xxxxxxxxx are
origin.patch
linux-next.patch
i2o-fix-overflow-of-copy_to_user.patch
i2o-check-return-code-from-put_user.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
