Module: xenomai-abe
Branch: analogy
Commit: 46f6f2c55e76d847983512226fe010557af9e9e9
URL:    
http://git.xenomai.org/?p=xenomai-abe.git;a=commit;h=46f6f2c55e76d847983512226fe010557af9e9e9

Author: Alexis Berlemont <alexis.berlem...@gmail.com>
Date:   Sat Nov 28 15:51:57 2009 +0100

analogy: fix potentiel NULL instructions handlers executions

The instruction ioctl functions did not properly check that a read /
write / config / bits handler was registered by the low-level
driver. That leaves place for bad accesses to occur.

---

 ksrc/drivers/analogy/instruction.c |   36 +++++++++++++++++++++++++-----------
 1 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/ksrc/drivers/analogy/instruction.c 
b/ksrc/drivers/analogy/instruction.c
index ecd28be..2ca7305 100644
--- a/ksrc/drivers/analogy/instruction.c
+++ b/ksrc/drivers/analogy/instruction.c
@@ -201,6 +201,8 @@ int a4l_do_insn(a4l_cxt_t * cxt, a4l_kinsn_t * dsc)
        int ret;
        a4l_subd_t *subd;
        a4l_dev_t *dev = a4l_get_dev(cxt);
+       int (*hdlr) (a4l_subd_t *, a4l_kinsn_t *) = NULL;
+
 
        /* Checks the subdevice index */
        if (dsc->idx_subd >= dev->transfer.nb_subd) {
@@ -223,30 +225,42 @@ int a4l_do_insn(a4l_cxt_t * cxt, a4l_kinsn_t * dsc)
        if (ret < 0)
                return ret;
 
-       /* Prevents the subdevice from being used during 
-          the following operations */
-       ret = a4l_reserve_transfer(cxt, dsc->idx_subd);
-       if (ret < 0)
-               goto out_do_insn;
-
-       /* Lets the driver-specific code perform the instruction */
+       /* Choose the proper handler, we can check the pointer because
+          the subdevice was memset to 0 at allocation time */
        switch (dsc->type) {
        case A4L_INSN_READ:
-               ret = subd->insn_read(subd, dsc);
+               hdlr = subd->insn_read;
                break;
        case A4L_INSN_WRITE:
-               ret = subd->insn_write(subd, dsc);
+               hdlr = subd->insn_write;
                break;
        case A4L_INSN_BITS:
-               ret = subd->insn_bits(subd, dsc);
+               hdlr = subd->insn_bits;
                break;
        case A4L_INSN_CONFIG:
-               ret = subd->insn_config(subd, dsc);
+               hdlr = subd->insn_config;
                break;
        default:
                ret = -EINVAL;
        }
 
+       /* We check the instruction type */
+       if (ret < 0)
+               return ret;
+
+       /* We check whether a handler is available */
+       if (hdlr == NULL)
+               return -ENOSYS;
+
+       /* Prevents the subdevice from being used during 
+          the following operations */
+       ret = a4l_reserve_transfer(cxt, dsc->idx_subd);
+       if (ret < 0)
+               goto out_do_insn;
+
+       /* Let's the driver-specific code perform the instruction */
+       ret = hdlr(subd, dsc);
+
 out_do_insn:
 
        /* Releases the subdevice from its reserved state */


_______________________________________________
Xenomai-git mailing list
Xenomai-git@gna.org
https://mail.gna.org/listinfo/xenomai-git

Reply via email to