In function xen_9pfs_front_probe(), variable len is checked against 0 to
to check the case that xenbus_read() fails. However, xenbus_read() may
return an ERR_PTR pointer even aften assigning a non-zero value to len.
As a result, the check of len cannot prevent from accessing bad memory.
Signed-off-by: Pan Bian <bianpan2...@163.com>
---
net/9p/trans_xen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 6ad3e04..c548781 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -389,7 +389,7 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
unsigned int max_rings, max_ring_order, len = 0;
versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len);
- if (!len)
+ if (IS_ERR(versions))
return -EINVAL;
if (strcmp(versions, "1")) {
kfree(versions);
--
1.9.1
