Attachment #51305 for bug #78362




	 (struct compat_cmsghdr __user *)((msg)->msg_control) :		\
	 (struct compat_cmsghdr __user *)NULL)

#define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
	((ucmlen) >= sizeof(struct cmsghdr) && \
	 (ucmlen) <= (unsigned long) \
	 ((mhdr)->msg_controllen - \
	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))

static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
		struct compat_cmsghdr __user *cmsg, int cmsg_len)
{

			return -EFAULT;

		/* Catch bogons. */
		if (!CMSG_COMPAT_OK(ucmlen, ucmsg, kmsg))
		   CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr)))
			return -EINVAL;
		if((unsigned long)(((char __user *)ucmsg - (char __user *)kmsg->msg_control)
				   + ucmlen) > kmsg->msg_controllen)
			return -EINVAL;

		tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +

Lines 768-773 Link Here

(-)a/drivers/char/vt.c (+5 lines)
768	* [this is to be used together with some user program	768	* [this is to be used together with some user program
769	* like resize that changes the hardware videomode]	769	* like resize that changes the hardware videomode]
770	*/	770	*/
		771	#define VC_RESIZE_MAXCOL (32767)
		772	#define VC_RESIZE_MAXROW (32767)
771	int vc_resize(int currcons, unsigned int cols, unsigned int lines)	773	int vc_resize(int currcons, unsigned int cols, unsigned int lines)
772	{	774	{
773	unsigned long old_origin, new_origin, new_scr_end, rlth, rrem, err = 0;	775	unsigned long old_origin, new_origin, new_scr_end, rlth, rrem, err = 0;
Lines 779-784 Link Here
779		781
780	if (!vc_cons_allocated(currcons))	782	if (!vc_cons_allocated(currcons))
781	return -ENXIO;	783	return -ENXIO;
		784
		785	if (cols > VC_RESIZE_MAXCOL \|\| lines > VC_RESIZE_MAXROW)
		786	return -EINVAL;
782		787
783	new_cols = (cols ? cols : video_num_columns);	788	new_cols = (cols ? cols : video_num_columns);
784	new_rows = (lines ? lines : video_num_lines);	789	new_rows = (lines ? lines : video_num_lines);

Return to bug 78362

Lines 124-129 Link Here

(-)a/net/compat.c (-5 / +7 lines)
124	(struct compat_cmsghdr __user *)((msg)->msg_control) : \	124	(struct compat_cmsghdr __user *)((msg)->msg_control) : \
125	(struct compat_cmsghdr __user *)NULL)	125	(struct compat_cmsghdr __user *)NULL)
126		126
		127	#define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
		128	((ucmlen) >= sizeof(struct cmsghdr) && \
		129	(ucmlen) <= (unsigned long) \
		130	((mhdr)->msg_controllen - \
		131	((char )(ucmsg) - (char )(mhdr)->msg_control)))
		132
127	static inline struct compat_cmsghdr __user cmsg_compat_nxthdr(struct msghdr msg,	133	static inline struct compat_cmsghdr __user cmsg_compat_nxthdr(struct msghdr msg,
128	struct compat_cmsghdr __user *cmsg, int cmsg_len)	134	struct compat_cmsghdr __user *cmsg, int cmsg_len)
129	{	135	{
Lines 154-164 Link Here
154	return -EFAULT;	160	return -EFAULT;
155		161
156	/* Catch bogons. */	162	/* Catch bogons. */
157	if(CMSG_COMPAT_ALIGN(ucmlen) <	163	if (!CMSG_COMPAT_OK(ucmlen, ucmsg, kmsg))
158	CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr)))
159	return -EINVAL;
160	if((unsigned long)(((char __user )ucmsg - (char __user )kmsg->msg_control)
161	+ ucmlen) > kmsg->msg_controllen)
162	return -EINVAL;	164	return -EINVAL;
163		165
164	tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +	166	tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +