diff options
| author | Dan Carpenter | 2011-08-09 17:52:38 +0200 |
|---|---|---|
| committer | Mauro Carvalho Chehab | 2011-09-03 23:23:42 +0200 |
| commit | e9013fb6eb397df9fd2e71d4f31a8bad4e65d046 (patch) | |
| tree | 451e2abe1dcb3e8df761730450f65b743c3ddf61 /drivers/media/dvb/ddbridge | |
| parent | [media] CXD2820R: Replace i2c message translation with repeater gate control (diff) | |
| download | kernel-qcow2-linux-e9013fb6eb397df9fd2e71d4f31a8bad4e65d046.tar.gz kernel-qcow2-linux-e9013fb6eb397df9fd2e71d4f31a8bad4e65d046.tar.xz kernel-qcow2-linux-e9013fb6eb397df9fd2e71d4f31a8bad4e65d046.zip | |
[media] ddbridge: fix ddb_ioctl()
There were a several problems in this function:
1) Potential integer overflow in the comparison:
if (fio.write_len + fio.read_len > 1028) {
2) If the user gave bogus values for write_len and read_len then
returning -EINVAL is more appropriate than returning -ENOMEM.
3) wbuf was set to the address of an array and could never be NULL
so I removed the pointless NULL check.
4) The call to vfree(wbuf) was improper. That array is part of a
larger struct and isn't allocated by itself.
5) flashio() can't actually fail, but we may as well add error
handling in case this changes later.
6) In the default case where an ioctl is not implemented then
returning -ENOTTY is more appropriate than returning -EFAULT.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media/dvb/ddbridge')
| -rw-r--r-- | drivers/media/dvb/ddbridge/ddbridge-core.c | 34 |
1 files changed, 17 insertions, 17 deletions
diff --git a/drivers/media/dvb/ddbridge/ddbridge-core.c b/drivers/media/dvb/ddbridge/ddbridge-core.c index 573d540f213e..fe56703cecfb 100644 --- a/drivers/media/dvb/ddbridge/ddbridge-core.c +++ b/drivers/media/dvb/ddbridge/ddbridge-core.c @@ -1438,7 +1438,7 @@ static long ddb_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct ddb *dev = file->private_data; void *parg = (void *)arg; - int res = -EFAULT; + int res; switch (cmd) { case IOCTL_DDB_FLASHIO: @@ -1447,29 +1447,29 @@ static long ddb_ioctl(struct file *file, unsigned int cmd, unsigned long arg) u8 *rbuf, *wbuf; if (copy_from_user(&fio, parg, sizeof(fio))) - break; - if (fio.write_len + fio.read_len > 1028) { - printk(KERN_ERR "IOBUF too small\n"); - return -ENOMEM; - } + return -EFAULT; + + if (fio.write_len > 1028 || fio.read_len > 1028) + return -EINVAL; + if (fio.write_len + fio.read_len > 1028) + return -EINVAL; + wbuf = &dev->iobuf[0]; - if (!wbuf) - return -ENOMEM; rbuf = wbuf + fio.write_len; - if (copy_from_user(wbuf, fio.write_buf, fio.write_len)) { - vfree(wbuf); - break; - } - res = flashio(dev, wbuf, fio.write_len, - rbuf, fio.read_len); + + if (copy_from_user(wbuf, fio.write_buf, fio.write_len)) + return -EFAULT; + res = flashio(dev, wbuf, fio.write_len, rbuf, fio.read_len); + if (res) + return res; if (copy_to_user(fio.read_buf, rbuf, fio.read_len)) - res = -EFAULT; + return -EFAULT; break; } default: - break; + return -ENOTTY; } - return res; + return 0; } static const struct file_operations ddb_fops = { |