X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=net%2Fcore%2Fscm.c;h=271cf060ef8c69fb79f37768972af65b5457d835;hb=refs%2Fheads%2Fvserver;hp=bba5c5895eda81978a6f7afba8d76da7c3b7663b;hpb=5273a3df6485dc2ad6aa7ddd441b9a21970f003b;p=linux-2.6.git

diff --git a/net/core/scm.c b/net/core/scm.c
index bba5c5895..271cf060e 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -11,11 +11,11 @@
 
 #include <linux/module.h>
 #include <linux/signal.h>
+#include <linux/capability.h>
 #include <linux/errno.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
 #include <linux/kernel.h>
-#include <linux/major.h>
 #include <linux/stat.h>
 #include <linux/socket.h>
 #include <linux/file.h>
@@ -127,9 +127,7 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
 		   for too short ancillary data object at all! Oops.
 		   OK, let's add it...
 		 */
-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
-				    + cmsg->cmsg_len) > msg->msg_controllen)
+		if (!CMSG_OK(msg, cmsg))
 			goto error;
 
 		if (cmsg->cmsg_level != SOL_SOCKET)
@@ -169,7 +167,7 @@ error:
 
 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
 {
-	struct cmsghdr *cm = (struct cmsghdr*)msg->msg_control;
+	struct cmsghdr __user *cm = (struct cmsghdr __user *)msg->msg_control;
 	struct cmsghdr cmhdr;
 	int cmlen = CMSG_LEN(len);
 	int err;
@@ -204,16 +202,18 @@ out:
 
 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
 {
-	struct cmsghdr *cm = (struct cmsghdr*)msg->msg_control;
+	struct cmsghdr __user *cm = (struct cmsghdr __user*)msg->msg_control;
 
 	int fdmax = 0;
 	int fdnum = scm->fp->count;
 	struct file **fp = scm->fp->fp;
-	int *cmfptr;
+	int __user *cmfptr;
 	int err = 0, i;
 
-	if (MSG_CMSG_COMPAT & msg->msg_flags)
-		return scm_detach_fds_compat(msg, scm);
+	if (MSG_CMSG_COMPAT & msg->msg_flags) {
+		scm_detach_fds_compat(msg, scm);
+		return;
+	}
 
 	if (msg->msg_controllen > sizeof(struct cmsghdr))
 		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
@@ -222,7 +222,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
 	if (fdnum < fdmax)
 		fdmax = fdnum;
 
-	for (i=0, cmfptr=(int*)CMSG_DATA(cm); i<fdmax; i++, cmfptr++)
+	for (i=0, cmfptr=(int __user *)CMSG_DATA(cm); i<fdmax; i++, cmfptr++)
 	{
 		int new_fd;
 		err = security_file_receive(fp[i]);
@@ -245,8 +245,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
 	if (i > 0)
 	{
 		int cmlen = CMSG_LEN(i*sizeof(int));
-		if (!err)
-			err = put_user(SOL_SOCKET, &cm->cmsg_level);
+		err = put_user(SOL_SOCKET, &cm->cmsg_level);
 		if (!err)
 			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
 		if (!err)