From 41a3cca2c7533c0e856f65c38808a8a9dd3a1e42 Mon Sep 17 00:00:00 2001
From: Julien Desfossez <jdesfossez@efficios.com>
Date: Mon, 2 May 2016 16:48:08 -0400
Subject: [PATCH] Fix: copy_from_user size when limited allocation

We restrict the memory allocation to one page, but in two syscalls we were
using the wrong size in the copy_from_user.

Signed-off-by: Julien Desfossez <jdesfossez@efficios.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
 .../syscalls/headers/syscalls_pointers_override.h            | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/instrumentation/syscalls/headers/syscalls_pointers_override.h b/instrumentation/syscalls/headers/syscalls_pointers_override.h
index dd6f9544..4a69fc3e 100644
--- a/instrumentation/syscalls/headers/syscalls_pointers_override.h
+++ b/instrumentation/syscalls/headers/syscalls_pointers_override.h
@@ -418,8 +418,7 @@ static struct lttng_type lttng_pollfd_elem = {
 		if (!tp_locvar->fds)							\
 			goto error;							\
 		err = lib_ring_buffer_copy_from_user_check_nofault(			\
-			tp_locvar->fds, ufds,						\
-			nfds * sizeof(struct pollfd));					\
+			tp_locvar->fds, ufds, tp_locvar->alloc_fds);			\
 		if (err != 0)								\
 			goto error;							\
 	}										\
@@ -772,7 +771,7 @@ static struct lttng_type lttng_epoll_wait_elem = {
 										\
 		err = lib_ring_buffer_copy_from_user_check_nofault(		\
 			tp_locvar->events, uevents,				\
-			maxevents * sizeof(struct epoll_event));		\
+			maxalloc * sizeof(struct epoll_event));			\
 		if (err != 0)							\
 			tp_locvar->fds_length = 0;				\
 	}									\
-- 
2.34.1