Community Company Search Contact

user1.c from CQual at Krugle

Show user1.c syntax highlighted

/* This is a simplified version of a real bug found in the kernel
   using cqual. */

static inline unsigned long
copy_from_user(void * to, const void   * from, unsigned long n);

void * kmalloc(int, int);


struct msg {
 	short len;
 	char *buf;
};

struct ioctl_data
{
	struct msg *msgs;
	int nmsgs;
};

int dev_ioctl (long arg)
{
	struct ioctl_data karg;
	struct msg * msgs;
	int i;

	copy_from_user(&karg, (struct ioctl_data *)arg, sizeof(karg));
	/* At this point, karg.msgs is a user pointer */

	msgs = kmalloc(karg.nmsgs * sizeof(*msgs), 0);
	copy_from_user(msgs, karg.msgs, karg.nmsgs * sizeof(*msgs));

	for (i = 0; i < karg.nmsgs; i++) {
		msgs[i].buf = kmalloc(msgs[i].len, 0);
		
		/* ERROR! loading the value "karg.msgs[i].buf" from
		   memory requires dereferencing a user pointer. */
		copy_from_user(msgs[i].buf, karg.msgs[i].buf, msgs[i].len);
	}

}

See more files for this project here

CQual

CQual - A tool for adding type qualifiers to C

Project homepage: http://sourceforge.net/projects/cqual
Programming language(s): C,Java,Shell Script
License: other

  README
  linux-lock.c
  linux-lock.i
  linux-lock2.c
  linux-lock2.i
  lock.c
  lock2.c
  lock3.c
  rcs1.c
  rcs2.c
  rcs3.c
  taint-cast.c
  taint-const-subtyping.c
  taint-poly.c
  taint-varargs.c
  taint0.c
  taint1.c
  taint2.c
  user0.c
  user1.c
  y2k1.c
  y2k2.c
  y2k3.c
  y2k4.c