From 81152d0aae1a61415a690591d884c8faa0bc3a8a Mon Sep 17 00:00:00 2001 From: Henrik Brix Andersen Date: Fri, 1 Apr 2022 17:47:18 +0200 Subject: [PATCH] drivers: can: handlers: verify timing parameter access Verify read access to the timing and timing_data parameters in z_vrfy_can_set_timing() and pass a copy of these structs to the implementation as recommended for Zephyr system calls. Remove unnecessary typecasts. Signed-off-by: Henrik Brix Andersen --- drivers/can/can_handlers.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/can/can_handlers.c b/drivers/can/can_handlers.c index 3ef455d6474..de44d70c817 100644 --- a/drivers/can/can_handlers.c +++ b/drivers/can/can_handlers.c @@ -27,11 +27,18 @@ static inline int z_vrfy_can_set_timing(const struct device *dev, const struct can_timing *timing, const struct can_timing *timing_data) { - Z_OOPS(Z_SYSCALL_DRIVER_CAN(dev, set_timing)); + struct can_timing timing_copy; + struct can_timing timing_data_copy; - return z_impl_can_set_timing((const struct device *)dev, - (const struct can_timing *)timing, - (const struct can_timing *)timing_data); + Z_OOPS(Z_SYSCALL_DRIVER_CAN(dev, set_timing)); + Z_OOPS(z_user_from_copy(&timing_copy, timing, sizeof(timing_copy))); + + if (timing_data != NULL) { + Z_OOPS(z_user_from_copy(&timing_data_copy, timing_data, sizeof(timing_data_copy))); + return z_impl_can_set_timing(dev, &timing_copy, &timing_data_copy); + } + + return z_impl_can_set_timing(dev, &timing_copy, NULL); } #include