firewire: fix NULL pointer deref. and resource leak

Tue, 26 Feb 2008 09:02:10 -0800 

Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fae603121428ba83b7343c88e68a7144525ab3eb
Commit:     fae603121428ba83b7343c88e68a7144525ab3eb
Parent:     09d7328e62e3b4cefe4bf3eeeeacb54f62a7ae5c
Author:     Stefan Richter <[EMAIL PROTECTED]>
AuthorDate: Wed Feb 20 21:10:06 2008 +0100
Committer:  Stefan Richter <[EMAIL PROTECTED]>
CommitDate: Thu Feb 21 19:05:56 2008 +0100

    firewire: fix NULL pointer deref. and resource leak
    
    By supplying ioctl()s in the wrong order, a userspace client was able to
    trigger NULL pointer dereferences.  Furthermore, by calling
    ioctl_create_iso_context more than once, new contexts could be created
    without ever freeing the previously created contexts.
    
    Thanks to Anders Blomdell for the report.
    
    Signed-off-by: Stefan Richter <[EMAIL PROTECTED]>
---
 drivers/firewire/fw-cdev.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c
index 44ccee2..46bc197 100644
--- a/drivers/firewire/fw-cdev.c
+++ b/drivers/firewire/fw-cdev.c
@@ -646,6 +646,10 @@ static int ioctl_create_iso_context(struct client *client, 
void *buffer)
        struct fw_cdev_create_iso_context *request = buffer;
        struct fw_iso_context *context;
 
+       /* We only support one context at this time. */
+       if (client->iso_context != NULL)
+               return -EBUSY;
+
        if (request->channel > 63)
                return -EINVAL;
 
@@ -792,8 +796,9 @@ static int ioctl_start_iso(struct client *client, void 
*buffer)
 {
        struct fw_cdev_start_iso *request = buffer;
 
-       if (request->handle != 0)
+       if (client->iso_context == NULL || request->handle != 0)
                return -EINVAL;
+
        if (client->iso_context->type == FW_ISO_CONTEXT_RECEIVE) {
                if (request->tags == 0 || request->tags > 15)
                        return -EINVAL;
@@ -810,7 +815,7 @@ static int ioctl_stop_iso(struct client *client, void 
*buffer)
 {
        struct fw_cdev_stop_iso *request = buffer;
 
-       if (request->handle != 0)
+       if (client->iso_context == NULL || request->handle != 0)
                return -EINVAL;
 
        return fw_iso_context_stop(client->iso_context);
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to