diff options
| author | Peter Hurley <peter@hurleysoftware.com> | 2013-04-30 19:14:37 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-05-01 08:12:57 -0700 |
| commit | da085d4591a6fe11eac2e1f659f25b655e9f2e53 (patch) | |
| tree | 3f6ce1efcbf85c4a3752ef848c0fdf1e62381688 /ipc/msgutil.c | |
| parent | be5f4b335f6e05df1b5c24b7e7d79ff52d7b8dbc (diff) | |
| download | olio-linux-3.10-da085d4591a6fe11eac2e1f659f25b655e9f2e53.tar.xz olio-linux-3.10-da085d4591a6fe11eac2e1f659f25b655e9f2e53.zip | |
ipc: tighten msg copy loops
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'ipc/msgutil.c')
| -rw-r--r-- | ipc/msgutil.c | 32 |
1 files changed, 11 insertions, 21 deletions
diff --git a/ipc/msgutil.c b/ipc/msgutil.c index 0a5c8a95c25..b79582d461a 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -97,18 +97,14 @@ struct msg_msg *load_msg(const void __user *src, int len) goto out_err; } - len -= alen; - src = ((char __user *)src) + alen; - seg = msg->next; - while (len > 0) { + for (seg = msg->next; seg != NULL; seg = seg->next) { + len -= alen; + src = (char __user *)src + alen; alen = min(len, DATALEN_SEG); if (copy_from_user(seg + 1, src, alen)) { err = -EFAULT; goto out_err; } - seg = seg->next; - len -= alen; - src = ((char __user *)src) + alen; } err = security_msg_msg_alloc(msg); @@ -135,15 +131,13 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst) alen = min(len, DATALEN_MSG); memcpy(dst + 1, src + 1, alen); - len -= alen; - dst_pseg = dst->next; - src_pseg = src->next; - while (len > 0) { + for (dst_pseg = dst->next, src_pseg = src->next; + src_pseg != NULL; + dst_pseg = dst_pseg->next, src_pseg = src_pseg->next) { + + len -= alen; alen = min(len, DATALEN_SEG); memcpy(dst_pseg + 1, src_pseg + 1, alen); - dst_pseg = dst_pseg->next; - len -= alen; - src_pseg = src_pseg->next; } dst->m_type = src->m_type; @@ -166,16 +160,12 @@ int store_msg(void __user *dest, struct msg_msg *msg, int len) if (copy_to_user(dest, msg + 1, alen)) return -1; - len -= alen; - dest = ((char __user *)dest) + alen; - seg = msg->next; - while (len > 0) { + for (seg = msg->next; seg != NULL; seg = seg->next) { + len -= alen; + dest = (char __user *)dest + alen; alen = min(len, DATALEN_SEG); if (copy_to_user(dest, seg + 1, alen)) return -1; - len -= alen; - dest = ((char __user *)dest) + alen; - seg = seg->next; } return 0; } |