In daqp_attach(), the first options value passed in the comedi_devconfig is used as an index to the private dev_table[] in this driver. This table is used to pass the pcmcia_device to the comedi_driver.
Fix the code so that the index is checked before the table is accessed so that we don't get a possible memory dereference BUG. Change the error returned to the comedi core from -EIO to -ENODEV. Signed-off-by: H Hartley Sweeten <[email protected]> Cc: Ian Abbott <[email protected]> Cc: Greg Kroah-Hartman <[email protected]> --- drivers/staging/comedi/drivers/quatech_daqp_cs.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/staging/comedi/drivers/quatech_daqp_cs.c b/drivers/staging/comedi/drivers/quatech_daqp_cs.c index 185632e..2a5f9ab 100644 --- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c +++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c @@ -733,15 +733,16 @@ static int daqp_do_insn_write(struct comedi_device *dev, static int daqp_attach(struct comedi_device *dev, struct comedi_devconfig *it) { - int ret; - struct local_info_t *local = dev_table[it->options[0]]; + struct local_info_t *local; struct comedi_subdevice *s; + int ret; - if (it->options[0] < 0 || it->options[0] >= MAX_DEV || !local) { - dev_err(dev->class_dev, "No such daqp device %d\n", - it->options[0]); - return -EIO; - } + if (it->options[0] < 0 || it->options[0] >= MAX_DEV) + return -ENODEV; + + local = dev_table[it->options[0]]; + if (!local) + return -ENODEV; /* Typically brittle code that I don't completely understand, * but "it works on my card". The intent is to pull the model -- 1.8.0.2 _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
