* 2 of the License, or (at your option) any later version.
*/
+#include <linux/capability.h>
#include <linux/kernel.h>
#include <linux/if_bridge.h>
#include <linux/netdevice.h>
{
int num;
void *buf;
- size_t size = maxnum * sizeof(struct __fdb_entry);
+ size_t size;
- if (size > PAGE_SIZE) {
- size = PAGE_SIZE;
+ /* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */
+ if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry))
maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
- }
+
+ size = maxnum * sizeof(struct __fdb_entry);
buf = kmalloc(size, GFP_USER);
if (!buf)
b.gc_timer_value = br_timer_value(&br->gc_timer);
rcu_read_unlock();
- if (copy_to_user((void *)args[1], &b, sizeof(b)))
+ if (copy_to_user((void __user *)args[1], &b, sizeof(b)))
return -EFAULT;
return 0;
if (num > BR_MAX_PORTS)
num = BR_MAX_PORTS;
- indices = kmalloc(num*sizeof(int), GFP_KERNEL);
+ indices = kcalloc(num, sizeof(int), GFP_KERNEL);
if (indices == NULL)
return -ENOMEM;
- memset(indices, 0, num*sizeof(int));
-
get_port_ifindices(br, indices, num);
- if (copy_to_user((void *)args[1], indices, num*sizeof(int)))
+ if (copy_to_user((void __user *)args[1], indices, num*sizeof(int)))
num = -EFAULT;
kfree(indices);
return num;
rcu_read_unlock();
- if (copy_to_user((void *)args[1], &p, sizeof(p)))
+ if (copy_to_user((void __user *)args[1], &p, sizeof(p)))
return -EFAULT;
return 0;
return -EOPNOTSUPP;
}
-static int old_deviceless(unsigned long uarg)
+static int old_deviceless(void __user *uarg)
{
unsigned long args[3];
- if (copy_from_user(args, (void *)uarg, sizeof(args)))
+ if (copy_from_user(args, uarg, sizeof(args)))
return -EFAULT;
switch (args[0]) {
int *indices;
int ret = 0;
- indices = kmalloc(args[2]*sizeof(int), GFP_KERNEL);
+ if (args[2] >= 2048)
+ return -ENOMEM;
+ indices = kcalloc(args[2], sizeof(int), GFP_KERNEL);
if (indices == NULL)
return -ENOMEM;
- memset(indices, 0, args[2]*sizeof(int));
args[2] = get_bridge_ifindices(indices, args[2]);
- ret = copy_to_user((void *)args[1], indices, args[2]*sizeof(int))
+ ret = copy_to_user((void __user *)args[1], indices, args[2]*sizeof(int))
? -EFAULT : args[2];
kfree(indices);
if (!capable(CAP_NET_ADMIN))
return -EPERM;
- if (copy_from_user(buf, (void *)args[1], IFNAMSIZ))
+ if (copy_from_user(buf, (void __user *)args[1], IFNAMSIZ))
return -EFAULT;
buf[IFNAMSIZ-1] = 0;
return -EOPNOTSUPP;
}
-int br_ioctl_deviceless_stub(unsigned int cmd, unsigned long uarg)
+int br_ioctl_deviceless_stub(unsigned int cmd, void __user *uarg)
{
switch (cmd) {
case SIOCGIFBR:
if (!capable(CAP_NET_ADMIN))
return -EPERM;
- if (copy_from_user(buf, (void __user *) uarg, IFNAMSIZ))
+ if (copy_from_user(buf, uarg, IFNAMSIZ))
return -EFAULT;
buf[IFNAMSIZ-1] = 0;
}
- printk(KERN_DEBUG "Bridge does not support ioctl 0x%x\n", cmd);
+ pr_debug("Bridge does not support ioctl 0x%x\n", cmd);
return -EOPNOTSUPP;
}