What happens when *length is less than zero?
On Thu, Aug 09, 2001 at 10:00:41AM -0700, richard offer wrote:
> +int sys_security (int module_id, int cmd, int copy, void *user_data, int *length)
> +{
> + char *kern_data = ( copy ? NULL : user_data );
> + int error = 0;
> +
> + /* Make sure application is calling the right module */
> + if (module_id != security_ops->module_id)
> + return -ENOPKG;
> +
> + if (copy && length && *length) {
> + kern_data = kmalloc(*length, GFP_KERNEL);
> + if (!kern_data) {
> + error = -ENOMEM;
> + goto out;
> + }
> +
> + if (copy_from_user(kern_data, user_data, *length)) {
> + error = -EFAULT;
> + goto out;
> + }
> + }
> +
> + error = security_ops->syscall(cmd, kern_data, length);
> + if (error)
> + goto out;
> +
> + if (copy && length) {
> + if (copy_to_user(user_data, kern_data, *length)) {
> + error = -EFAULT;
> + goto out;
> + }
> + }
> +out:
> + if (copy && kern_data)
> + kfree(kern_data);
> +
> + return error;
> +}
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 10:58:55 PDT