[Xenomai-git] Alexis Berlemont : analogy: fix a bug in a4l_fill_desc() when called on an idle device

Sat, 17 Jul 2010 04:47:03 -0700 

Module: xenomai-2.5
Branch: master
Commit: 89c98166b1fe4c62f043c8c795dcad6f020c451a
URL:    
http://git.xenomai.org/?p=xenomai-2.5.git;a=commit;h=89c98166b1fe4c62f043c8c795dcad6f020c451a

Author: Alexis Berlemont <alexis.berlem...@gmail.com>
Date:   Mon Jun 28 00:35:30 2010 +0200

analogy: fix a bug in a4l_fill_desc() when called on an idle device

If we open an unattached device (thanks to a4l_open), the descriptor
field "sbsize" is worth 0. Before calling a4l_fill_desc, we need to
allocate a memory area so as to hold the device info data. According
to the manual page, malloc(0) does not have to return NULL. It can
return a pointer. So, we call a4l_fill_desc without any allocated
memory area. As there was no proper checking test in a4l_fill_desc,
there was a memory corruption bug.

---

 src/drvlib/analogy/descriptor.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/src/drvlib/analogy/descriptor.c b/src/drvlib/analogy/descriptor.c
index a7addc0..6737265 100644
--- a/src/drvlib/analogy/descriptor.c
+++ b/src/drvlib/analogy/descriptor.c
@@ -229,6 +229,8 @@ static int __a4l_fill_desc(int fd, a4l_desc_t * dsc)
  *    pass argument should be checked; check also the kernel log
  *    ("dmesg")
  * - -EFAULT is returned if a user <-> kernel transfer went wrong
+ * - -ENODEV is returned if the descriptor is incoherent (the device
+ *    may be unattached)
  *
  */
 
@@ -251,6 +253,11 @@ int a4l_sys_desc(int fd, a4l_desc_t * dsc, int pass)
                dsc->magic = MAGIC_BSC_DESC;
        } else {
 
+               if (!dsc->sbsize) {
+                       ret = -ENODEV;
+                       goto out_a4l_sys_desc;
+               }
+
                ret = __a4l_fill_desc(fd, dsc);
                if (ret < 0)
                        goto out_a4l_sys_desc;
@@ -350,6 +357,8 @@ int a4l_close(a4l_desc_t * dsc)
  *    the dsc pointer should be checked; check also the kernel log
  *    ("dmesg")
  * - -EFAULT is returned if a user <-> kernel transfer went wrong
+ * - -ENODEV is returned if the descriptor is incoherent (the device
+ *    may be unattached)
  *
  */
 int a4l_fill_desc(a4l_desc_t * dsc)


_______________________________________________
Xenomai-git mailing list
Xenomai-git@gna.org
https://mail.gna.org/listinfo/xenomai-git

Reply via email to