patch-2.3.2 linux/fs/ncpfs/ioctl.c

• Lines: 70
• Date: Fri May 14 12:43:00 1999
• Orig file: v2.3.1/linux/fs/ncpfs/ioctl.c
• Orig date: Tue Apr 20 15:17:20 1999

diff -u --recursive --new-file v2.3.1/linux/fs/ncpfs/ioctl.c linux/fs/ncpfs/ioctl.c
@@ -33,6 +33,7 @@
 	int result;
 	struct ncp_ioctl_request request;
 	struct ncp_fs_info info;
+	char* bouncebuffer;
 
 #ifdef NCP_IOC_GETMOUNTUID_INT
 	/* remove after ncpfs-2.0.13/2.2.0 gets released */
@@ -57,12 +58,9 @@
 		    && (current->uid != server->m.mounted_uid)) {
 			return -EACCES;
 		}
-		if ((result = verify_area(VERIFY_READ, (char *) arg,
-					  sizeof(request))) != 0) {
-			return result;
-		}
-		copy_from_user(&request, (struct ncp_ioctl_request *) arg,
-			       sizeof(request));
+		if (copy_from_user(&request, (struct ncp_ioctl_request *) arg,
+			       sizeof(request)))
+			return -EFAULT;
 
 		if ((request.function > 255)
 		    || (request.size >
@@ -73,6 +71,13 @@
 					  NCP_PACKET_SIZE)) != 0) {
 			return result;
 		}
+		bouncebuffer = kmalloc(NCP_PACKET_SIZE, GFP_NFS);
+		if (!bouncebuffer)
+			return -ENOMEM;
+		if (copy_from_user(bouncebuffer, request.data, request.size)) {
+			kfree(bouncebuffer);
+			return -EFAULT;
+		}
 		ncp_lock_server(server);
 
 		/* FIXME: We hack around in the server's structures
@@ -80,17 +85,22 @@
 
 		server->has_subfunction = 0;
 		server->current_size = request.size;
-		copy_from_user(server->packet, request.data, request.size);
-
-		ncp_request(server, request.function);
-
-		DPRINTK(KERN_DEBUG "ncp_ioctl: copy %d bytes\n",
-			server->reply_size);
-		copy_to_user(request.data, server->packet, server->reply_size);
+		memcpy(server->packet, bouncebuffer, request.size);
 
+		result = ncp_request2(server, request.function, 
+			bouncebuffer, NCP_PACKET_SIZE);
+		if (result)
+			result = -EIO;
+		else
+			result = server->reply_size;
 		ncp_unlock_server(server);
-
-		return server->reply_size;
+		DPRINTK(KERN_DEBUG "ncp_ioctl: copy %d bytes\n",
+			result);
+		if (result >= 0)
+			if (copy_to_user(request.data, bouncebuffer, result))
+				result = -EFAULT;
+		kfree(bouncebuffer);
+		return result;
 
 	case NCP_IOC_CONN_LOGGED_IN: