From baddb6942c90c717d4b00e2b6bb20db96eab9de1 Mon Sep 17 00:00:00 2001
From: Michael Lotz <mmlr@mlotz.ch>
Date: Tue, 13 Oct 2009 00:13:08 +0000
Subject: [PATCH] Check for user buffers and properly use user_memcpy() in that
 case. Fixes #4770.

git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33564 a95241bf-73f2-0310-859d-f6bbb57e9c96
---
 .../kernel/network/stack/net_buffer.cpp       | 33 ++++++++++++++-----
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/src/add-ons/kernel/network/stack/net_buffer.cpp b/src/add-ons/kernel/network/stack/net_buffer.cpp
index 174044bd38..91dba10e29 100644
--- a/src/add-ons/kernel/network/stack/net_buffer.cpp
+++ b/src/add-ons/kernel/network/stack/net_buffer.cpp
@@ -16,6 +16,7 @@
 
 #include <ByteOrder.h>
 #include <debug.h>
+#include <kernel.h>
 #include <KernelExport.h>
 #include <util/DoublyLinkedList.h>
 
@@ -1413,7 +1414,11 @@ write_data(net_buffer* _buffer, size_t offset, const void* data, size_t size)
 
 	while (true) {
 		size_t written = min_c(size, node->used - offset);
-		memcpy(node->start + offset, data, written);
+		if (IS_USER_ADDRESS(data)) {
+			if (user_memcpy(node->start + offset, data, written) != B_OK)
+				return B_BAD_ADDRESS;
+		} else
+			memcpy(node->start + offset, data, written);
 
 		size -= written;
 		if (size == 0)
@@ -1456,7 +1461,11 @@ read_data(net_buffer* _buffer, size_t offset, void* data, size_t size)
 
 	while (true) {
 		size_t bytesRead = min_c(size, node->used - offset);
-		memcpy(data, node->start + offset, bytesRead);
+		if (IS_USER_ADDRESS(data)) {
+			if (user_memcpy(data, node->start + offset, bytesRead) != B_OK)
+				return B_BAD_ADDRESS;
+		} else
+			memcpy(data, node->start + offset, bytesRead);
 
 		size -= bytesRead;
 		if (size == 0)
@@ -1572,9 +1581,13 @@ prepend_data(net_buffer* buffer, const void* data, size_t size)
 	if (status < B_OK)
 		return status;
 
-	if (contiguousBuffer)
-		memcpy(contiguousBuffer, data, size);
-	else
+	if (contiguousBuffer) {
+		if (IS_USER_ADDRESS(data)) {
+			if (user_memcpy(contiguousBuffer, data, size) != B_OK)
+				return B_BAD_ADDRESS;
+		} else
+			memcpy(contiguousBuffer, data, size);
+	} else
 		write_data(buffer, 0, data, size);
 
 	//dprintf(" prepend result:\n");
@@ -1683,9 +1696,13 @@ append_data(net_buffer* buffer, const void* data, size_t size)
 	if (status < B_OK)
 		return status;
 
-	if (contiguousBuffer)
-		memcpy(contiguousBuffer, data, size);
-	else
+	if (contiguousBuffer) {
+		if (IS_USER_ADDRESS(data)) {
+			if (user_memcpy(contiguousBuffer, data, size) != B_OK)
+				return B_BAD_ADDRESS;
+		} else
+			memcpy(contiguousBuffer, data, size);
+	} else
 		write_data(buffer, used, data, size);
 
 	return B_OK;