Hi Bernd,
I had a couple questions about the usbdux.c driver:
1705 /* reads the 4 counters, only two are used just now */
1706 static int usbdux_counter_read(struct comedi_device *dev,
1707 struct comedi_subdevice *s,
1708 struct comedi_insn *insn, unsigned int
*data)
1709 {
1710 struct usbduxsub *this_usbduxsub = dev->private;
1711 int chan = insn->chanspec;
Shouldn't this be:
int chan = CR_CHAN(insn->chanspec);
1712 int err;
1713
1714 if (!this_usbduxsub)
1715 return -EFAULT;
1716
1717 down(&this_usbduxsub->sem);
1718
1719 if (!(this_usbduxsub->probed)) {
1720 up(&this_usbduxsub->sem);
1721 return -ENODEV;
1722 }
1723
1724 err = send_dux_commands(this_usbduxsub, READCOUNTERCOMMAND);
1725 if (err < 0) {
1726 up(&this_usbduxsub->sem);
1727 return err;
1728 }
1729
1730 err = receive_dux_commands(this_usbduxsub, READCOUNTERCOMMAND);
1731 if (err < 0) {
1732 up(&this_usbduxsub->sem);
1733 return err;
1734 }
1735
1736 data[0] = le16_to_cpu(this_usbduxsub->insnBuffer[chan + 1]);
^^^^^^^^
Where does the "+ 1" come from? Couldn't this lead to an off by one
because comedi_check_chanlist() checks that "chan" is within bounds
but not "chan + 1".
1737 up(&this_usbduxsub->sem);
1738 return 1;
1739 }
regards,
dan carpenter
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
