--- linux-2.6.23.14/fs/splice.c.orig 2008-01-14 21:49:56.000000000 +0100
+++ linux-2.6.23.14/fs/splice.c 2008-02-12 02:49:22.000000000 +0100
@@ -1234,6 +1234,9 @@
{
int partial;
+ if (!access_ok(VERIFY_READ, src, n))
+ return -EFAULT;
+
pagefault_disable();
partial = __copy_from_user_inatomic(dst, src, n);
pagefault_enable();
@@ -1286,7 +1289,7 @@
if (unlikely(!len))
break;
error = -EFAULT;
- if (unlikely(!base))
+ if (!access_ok(VERIFY_READ, base, len))
break;
/*
@@ -1442,6 +1445,11 @@
break;
}
+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ error = -EFAULT;
+ break;
+ }
+
sd.len = 0;
sd.total_len = len;
sd.flags = flags;