V4L/DVB (8131): dmx_write: memcpy from user-supplied pointer

... copy to kernel memory first

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
This commit is contained in:
Al Viro 2008-06-22 14:20:19 -03:00 committed by Mauro Carvalho Chehab
parent b0ba0e3ab6
commit 947a080037
2 changed files with 15 additions and 4 deletions

View File

@ -247,7 +247,7 @@ struct dmx_demux {
void* priv; /* Pointer to private data of the API client */
int (*open) (struct dmx_demux* demux);
int (*close) (struct dmx_demux* demux);
int (*write) (struct dmx_demux* demux, const char* buf, size_t count);
int (*write) (struct dmx_demux* demux, const char __user *buf, size_t count);
int (*allocate_ts_feed) (struct dmx_demux* demux,
struct dmx_ts_feed** feed,
dmx_ts_cb callback);

View File

@ -1056,16 +1056,27 @@ static int dvbdmx_close(struct dmx_demux *demux)
return 0;
}
static int dvbdmx_write(struct dmx_demux *demux, const char *buf, size_t count)
static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t count)
{
struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
void *p;
if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
return -EINVAL;
if (mutex_lock_interruptible(&dvbdemux->mutex))
p = kmalloc(count, GFP_USER);
if (!p)
return -ENOMEM;
if (copy_from_user(p, buf, count)) {
kfree(p);
return -EFAULT;
}
if (mutex_lock_interruptible(&dvbdemux->mutex)) {
kfree(p);
return -ERESTARTSYS;
dvb_dmx_swfilter(dvbdemux, (u8 *)buf, count);
}
dvb_dmx_swfilter(dvbdemux, p, count);
kfree(p);
mutex_unlock(&dvbdemux->mutex);
if (signal_pending(current))