batman-adv: Only write requested number of byte to user buffer

Don't write more than the requested number of bytes of an batman-adv icmp
packet to the userspace buffer. Otherwise unrelated userspace memory might get
overridden by the kernel.

Signed-off-by: Sven Eckelmann <[email protected]>
Signed-off-by: Marek Lindner <[email protected]>

diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index 3b04fff3ede387c54ab382a0c563f1b1b8656d03..d9c1e7bb7fbfa4ba6d5d579bfe1b266cbab65052 100644 (file)
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -136,10 +136,9 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
 
        spin_unlock_bh(&socket_client->lock);
 
-       error = copy_to_user(buf, &socket_packet->icmp_packet,
-                            socket_packet->icmp_len);
+       packet_len = min(count, socket_packet->icmp_len);
+       error = copy_to_user(buf, &socket_packet->icmp_packet, packet_len);
 
-       packet_len = socket_packet->icmp_len;
        kfree(socket_packet);
 
        if (error)