Source-Changes-D archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: src/sys/dev

On 12/04/2010 15:09, David Laight wrote:
On Sat, Dec 04, 2010 at 03:50:25PM -0600, Michael Graff wrote:
Hash: SHA1

I admit to a certain lack of understanding the twisty maze of pointers
and memory mapping magic at play here, but is simply checking the length
enough?  That is, what happens if I pass in a structure that is smaller
than expected?

That is, is there a way to check the actual size of the data passed into
the ioctl, rather than the field in the structure we expect, or is that
done at a higher level?
The length of the program's buffer is unknown.
The kernel uses the high 16 bits of the ioctl command to indicate
whether to read/write (2 bits) and a length (14 bits).
If either control bit is set, the ioctl syscall stub will do the
copyin/out and pass the actual device driver a pointer to the
in-kernel buffer.
So the device driver can always access the buffer length implied
from the command.

To my mind this is a horrid hack :-)
It does ensure, however, that all the error checking is centralized (and therefore more likely ot be correct). Removing the checks from the ioctl layer would break a lot of code...


Home | Main Index | Thread Index | Old Index