[PATCH] coda: bounds checking

This patch adds bounds checks for tainted scalars (reported by Brian Fulton
and Ted Unangst, Coverity Inc.).
Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

fs/coda/upcall.c

@@ -555,6 +555,11 @@ int venus_pioctl(struct super_block *sb, struct CodaFid *fid,
 		goto exit;
         }
 
+        if (data->vi.out_size > VC_MAXDATASIZE) {
+		error = -EINVAL;
+		goto exit;
+	}
+
         inp->coda_ioctl.VFid = *fid;
     
         /* the cmd field was mutated by increasing its size field to
@@ -584,17 +589,24 @@ int venus_pioctl(struct super_block *sb, struct CodaFid *fid,
 		goto exit; 
 	}
 
+	if (outsize < (long)outp->coda_ioctl.data + outp->coda_ioctl.len) {
+		error = -EINVAL;
+		goto exit;
+	}
+        
 	/* Copy out the OUT buffer. */
         if (outp->coda_ioctl.len > data->vi.out_size) {
 		error = -EINVAL;
-        } else {
+		goto exit;
+        }
+
+	/* Copy out the OUT buffer. */
 	if (copy_to_user(data->vi.out,
 			 (char *)outp + (long)outp->coda_ioctl.data,
-				 data->vi.out_size)) {
+			 outp->coda_ioctl.len)) {
 		error = -EFAULT;
 		goto exit;
 	}
-        }
 
  exit:
 	CODA_FREE(inp, insize);

include/linux/coda.h

@@ -761,8 +761,8 @@ union coda_downcalls {
 struct ViceIoctl {
         void __user *in;        /* Data to be transferred in */
         void __user *out;       /* Data to be transferred out */
-        short in_size;          /* Size of input buffer <= 2K */
-        short out_size;         /* Maximum size of output buffer, <= 2K */
+        u_short in_size;        /* Size of input buffer <= 2K */
+        u_short out_size;       /* Maximum size of output buffer, <= 2K */
 };
 
 struct PioctlData {