summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAl Viro <viro@ftp.linux.org.uk>2008-06-22 14:20:19 -0300
committerMauro Carvalho Chehab <mchehab@infradead.org>2008-07-20 07:13:27 -0300
commit947a080037c6ae47cfe5072eadbd189e3da27ecd (patch)
treea6529d111edf7570146c6be6b524e4e84215fd07
parentb0ba0e3ab6f452321771325b7b5578f9a804f69e (diff)
V4L/DVB (8131): dmx_write: memcpy from user-supplied pointer
... copy to kernel memory first Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
-rw-r--r--drivers/media/dvb/dvb-core/demux.h2
-rw-r--r--drivers/media/dvb/dvb-core/dvb_demux.c17
2 files changed, 15 insertions, 4 deletions
diff --git a/drivers/media/dvb/dvb-core/demux.h b/drivers/media/dvb/dvb-core/demux.h
index b0d347daae47..eb91fd808c16 100644
--- a/drivers/media/dvb/dvb-core/demux.h
+++ b/drivers/media/dvb/dvb-core/demux.h
@@ -247,7 +247,7 @@ struct dmx_demux {
void* priv; /* Pointer to private data of the API client */
int (*open) (struct dmx_demux* demux);
int (*close) (struct dmx_demux* demux);
- int (*write) (struct dmx_demux* demux, const char* buf, size_t count);
+ int (*write) (struct dmx_demux* demux, const char __user *buf, size_t count);
int (*allocate_ts_feed) (struct dmx_demux* demux,
struct dmx_ts_feed** feed,
dmx_ts_cb callback);
diff --git a/drivers/media/dvb/dvb-core/dvb_demux.c b/drivers/media/dvb/dvb-core/dvb_demux.c
index 934e15fffc56..e2eca0b1fe7c 100644
--- a/drivers/media/dvb/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb/dvb-core/dvb_demux.c
@@ -1056,16 +1056,27 @@ static int dvbdmx_close(struct dmx_demux *demux)
return 0;
}
-static int dvbdmx_write(struct dmx_demux *demux, const char *buf, size_t count)
+static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t count)
{
struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
+ void *p;
if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
return -EINVAL;
- if (mutex_lock_interruptible(&dvbdemux->mutex))
+ p = kmalloc(count, GFP_USER);
+ if (!p)
+ return -ENOMEM;
+ if (copy_from_user(p, buf, count)) {
+ kfree(p);
+ return -EFAULT;
+ }
+ if (mutex_lock_interruptible(&dvbdemux->mutex)) {
+ kfree(p);
return -ERESTARTSYS;
- dvb_dmx_swfilter(dvbdemux, (u8 *)buf, count);
+ }
+ dvb_dmx_swfilter(dvbdemux, p, count);
+ kfree(p);
mutex_unlock(&dvbdemux->mutex);
if (signal_pending(current))