From 653252c2302cdf2dfbca66a7e177f7db783f9efa Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 25 Apr 2008 01:49:48 -0700 Subject: [PATCH] net: Fix wrong interpretation of some copy_to_user() results. I found some places, that erroneously return the value obtained from the copy_to_user() call: if some amount of bytes were not able to get to the user (this is what this one returns) the proper behavior is to return the -EFAULT error, not that number itself. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- net/can/raw.c | 3 ++- net/dccp/probe.c | 2 +- net/tipc/socket.c | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/net/can/raw.c b/net/can/raw.c index ead50c7c0d4..201cbfc6b9e 100644 --- a/net/can/raw.c +++ b/net/can/raw.c @@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket *sock, int level, int optname, int fsize = ro->count * sizeof(struct can_filter); if (len > fsize) len = fsize; - err = copy_to_user(optval, ro->filter, len); + if (copy_to_user(optval, ro->filter, len)) + err = -EFAULT; } else len = 0; release_sock(sk); diff --git a/net/dccp/probe.c b/net/dccp/probe.c index 6e1df62bd7c..0bcdc925027 100644 --- a/net/dccp/probe.c +++ b/net/dccp/probe.c @@ -140,7 +140,7 @@ static ssize_t dccpprobe_read(struct file *file, char __user *buf, goto out_free; cnt = kfifo_get(dccpw.fifo, tbuf, len); - error = copy_to_user(buf, tbuf, cnt); + error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0; out_free: vfree(tbuf); diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 05853159536..230f9ca2ad6 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1756,8 +1756,8 @@ static int getsockopt(struct socket *sock, else if (len < sizeof(value)) { res = -EINVAL; } - else if ((res = copy_to_user(ov, &value, sizeof(value)))) { - /* couldn't return value */ + else if (copy_to_user(ov, &value, sizeof(value))) { + res = -EFAULT; } else { res = put_user(sizeof(value), ol); -- 2.41.1