[Xenomai-git] Alexis Berlemont : analogy: fix a bug in a4l_fill_desc() when called on an idle device

Sun, 27 Jun 2010 15:34:54 -0700 

Module: xenomai-abe
Branch: analogy
Commit: cd55815f21749903e857e4d49c39cf72b959352f
URL:    
http://git.xenomai.org/?p=xenomai-abe.git;a=commit;h=cd55815f21749903e857e4d49c39cf72b959352f

Author: Alexis Berlemont <alexis.berlem...@gmail.com>
Date:   Mon Jun 28 00:35:30 2010 +0200

analogy: fix a bug in a4l_fill_desc() when called on an idle device

If we open an unattached device (thanks to a4l_open), the descriptor
field "sbsize" is worth 0. Before calling a4l_fill_desc, we need to
allocate a memory area so as to hold the device info data. According
to the manual page, malloc(0) does not have to return NULL. It can
return a pointer. So, we call a4l_fill_desc without any allocated
memory area. As there was no proper checking test in a4l_fill_desc,
there was a memory corruption bug.

---

 src/drvlib/analogy/descriptor.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/src/drvlib/analogy/descriptor.c b/src/drvlib/analogy/descriptor.c
index a7addc0..6737265 100644
--- a/src/drvlib/analogy/descriptor.c
+++ b/src/drvlib/analogy/descriptor.c
@@ -229,6 +229,8 @@ static int __a4l_fill_desc(int fd, a4l_desc_t * dsc)
  *    pass argument should be checked; check also the kernel log
  *    ("dmesg")
  * - -EFAULT is returned if a user <-> kernel transfer went wrong
+ * - -ENODEV is returned if the descriptor is incoherent (the device
+ *    may be unattached)
  *
  */
 
@@ -251,6 +253,11 @@ int a4l_sys_desc(int fd, a4l_desc_t * dsc, int pass)
                dsc->magic = MAGIC_BSC_DESC;
        } else {
 
+               if (!dsc->sbsize) {
+                       ret = -ENODEV;
+                       goto out_a4l_sys_desc;
+               }
+
                ret = __a4l_fill_desc(fd, dsc);
                if (ret < 0)
                        goto out_a4l_sys_desc;
@@ -350,6 +357,8 @@ int a4l_close(a4l_desc_t * dsc)
  *    the dsc pointer should be checked; check also the kernel log
  *    ("dmesg")
  * - -EFAULT is returned if a user <-> kernel transfer went wrong
+ * - -ENODEV is returned if the descriptor is incoherent (the device
+ *    may be unattached)
  *
  */
 int a4l_fill_desc(a4l_desc_t * dsc)


_______________________________________________
Xenomai-git mailing list
Xenomai-git@gna.org
https://mail.gna.org/listinfo/xenomai-git

Reply via email to