From dd5de1f165ade430357960459491a067c7e3d21c Mon Sep 17 00:00:00 2001 From: Tomas Winkler Date: Mon, 2 Sep 2013 03:11:04 +0300 Subject: [PATCH] mei: revamp read and write length checks 1. Return zero on zero length read and writes 2. For a too large write return -EFBIG as defined in man write(2) EFBIG An attempt was made to write a file that exceeds the implementation-defined maximum file size or the process's file size limit, or to write at a position past the maximum allowed offset. Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/main.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c index 5ff810b1e8b3..7404584e65e1 100644 --- a/drivers/misc/mei/main.c +++ b/drivers/misc/mei/main.c @@ -203,12 +203,18 @@ static ssize_t mei_read(struct file *file, char __user *ubuf, dev = cl->dev; + mutex_lock(&dev->device_lock); if (dev->dev_state != MEI_DEV_ENABLED) { rets = -ENODEV; goto out; } + if (length == 0) { + rets = 0; + goto out; + } + if (cl == &dev->iamthif_cl) { rets = mei_amthif_read(dev, file, ubuf, length, offset); goto out; @@ -350,8 +356,14 @@ static ssize_t mei_write(struct file *file, const char __user *ubuf, rets = -ENODEV; goto out; } - if (length > dev->me_clients[id].props.max_msg_length || length <= 0) { - rets = -EMSGSIZE; + + if (length == 0) { + rets = 0; + goto out; + } + + if (length > dev->me_clients[id].props.max_msg_length) { + rets = -EFBIG; goto out; } -- 2.20.1