smackfs: restrict bytes count in smk_set_cipso()

[linux-2.6-microblaze.git] / security / smack / smackfs.c

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 5d44b7d..3a75d2a 100644 (file)
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -380,7 +380,7 @@ static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule,
  * @data: string to be parsed, null terminated
  * @rule: Will be filled with Smack parsed rule
  * @import: if non-zero, import labels
- * @tokens: numer of substrings expected in data
+ * @tokens: number of substrings expected in data
  *
  * Returns number of processed bytes on success, -ERRNO on failure.
  */
@@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
        if (format == SMK_FIXED24_FMT &&
            (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
                return -EINVAL;
+       if (count > PAGE_SIZE)
+               return -EINVAL;
 
        data = memdup_user_nul(buf, count);
        if (IS_ERR(data))
@@ -1167,7 +1169,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
                return -EPERM;
        if (*ppos != 0)
                return -EINVAL;
-       if (count < SMK_NETLBLADDRMIN)
+       if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
                return -EINVAL;
 
        data = memdup_user_nul(buf, count);
@@ -1427,7 +1429,7 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
                return -EPERM;
        if (*ppos != 0)
                return -EINVAL;
-       if (count < SMK_NETLBLADDRMIN)
+       if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
                return -EINVAL;
 
        data = memdup_user_nul(buf, count);
@@ -1834,6 +1836,10 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
 
+       /* Enough data must be present */
+       if (count == 0 || count > PAGE_SIZE)
+               return -EINVAL;
+
        data = memdup_user_nul(buf, count);
        if (IS_ERR(data))
                return PTR_ERR(data);
@@ -2005,6 +2011,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
 
+       if (count > PAGE_SIZE)
+               return -EINVAL;
+
        data = memdup_user_nul(buf, count);
        if (IS_ERR(data))
                return PTR_ERR(data);
@@ -2092,6 +2101,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
 
+       if (count > PAGE_SIZE)
+               return -EINVAL;
+
        data = memdup_user_nul(buf, count);
        if (IS_ERR(data))
                return PTR_ERR(data);
@@ -2648,6 +2660,10 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
 
+       /* Enough data must be present */
+       if (count == 0 || count > PAGE_SIZE)
+               return -EINVAL;
+
        data = memdup_user_nul(buf, count);
        if (IS_ERR(data))
                return PTR_ERR(data);
@@ -2740,10 +2756,13 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
                return -EPERM;
 
        /*
+        * No partial write.
         * Enough data must be present.
         */
        if (*ppos != 0)
                return -EINVAL;
+       if (count == 0 || count > PAGE_SIZE)
+               return -EINVAL;
 
        data = memdup_user_nul(buf, count);
        if (IS_ERR(data))