[openib-general] [PATCH] Check copy_from_user in user_mad.c

Roland Dreier roland at topspin.com
Thu Jun 16 15:52:57 PDT 2005


We should be checking the return value of copy_from_user(), right?

--- infiniband/core/user_mad.c	(revision 2641)
+++ infiniband/core/user_mad.c	(working copy)
@@ -355,18 +355,26 @@ static ssize_t ib_umad_write(struct file
 
 	if (!rmpp_active) {
 		/* Copy message from user into send buffer */
-		copy_from_user(packet->msg->mad,
-			       buf + sizeof(struct ib_user_mad), length);
+		if (copy_from_user(packet->msg->mad,
+				   buf + sizeof(struct ib_user_mad), length)) {
+			ret = -EFAULT;
+			goto err_msg;
+		}
 	} else {
 		rmpp_hdr_size = sizeof(struct ib_mad_hdr) +
 				sizeof(struct ib_rmpp_hdr);
+
 		/* Only copy MAD headers (RMPP header in place) */
 		memcpy(packet->msg->mad, packet->mad.data,
 		       sizeof(struct ib_mad_hdr));
+
 		/* Now, copy rest of message from user into send buffer */
-		copy_from_user(((struct ib_rmpp_mad *)packet->msg->mad)->data,
-				buf + sizeof(struct ib_user_mad) + rmpp_hdr_size,
-				length - rmpp_hdr_size);
+		if (copy_from_user(((struct ib_rmpp_mad *) packet->msg->mad)->data,
+				   buf + sizeof (struct ib_user_mad) + rmpp_hdr_size,
+				   length - rmpp_hdr_size)) {
+			ret = -EFAULT;
+			goto err_msg;
+		}
 	}
 
 	/*



More information about the general mailing list