NFC: Copy user space buffer when sending UI frames

Using the userspace IO vector directly is wrong, we should copy it from user space first. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
git-mirror · Nov 19, 2012 · 6e950fd · 6e950fd
1 parent 08eaa1e
commit 6e950fd
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c
@@ -579,7 +579,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 	struct sk_buff *pdu;
 	struct nfc_llcp_local *local;
 	size_t frag_len = 0, remaining_len;
-	u8 *msg_ptr;
+	u8 *msg_ptr, *msg_data;
 	int err;
 
 	pr_debug("Send UI frame len %zd\n", len);
@@ -588,8 +588,17 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 	if (local == NULL)
 		return -ENODEV;
 
+	msg_data = kzalloc(len, GFP_KERNEL);
+	if (msg_data == NULL)
+		return -ENOMEM;
+
+	if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) {
+		kfree(msg_data);
+		return -EFAULT;
+	}
+
 	remaining_len = len;
-	msg_ptr = (u8 *) msg->msg_iov;
+	msg_ptr = msg_data;
 
 	while (remaining_len > 0) {
 
@@ -616,6 +625,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 		msg_ptr += frag_len;
 	}
 
+	kfree(msg_data);
+
 	return len;
 }