On Wed, 02 Mar 2005 12:10:50 +0100 Panagiotis Issaris wrote: > In the raw1394 driver the failure handling for > a __copy_to_user call is missing. > > With friendly regards, > Takis > > -- > K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group > http://people.mech.kuleuven.ac.be/~pissaris/ > > > > [pi-20050302T114855-linux_2_6_11-raw1394_copy_to_user_failure_handling.diff > text/x-patch (922 bytes)] > diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c > linux-2.6.11-pi/drivers/ieee1394/raw1394.c > --- linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02 11:44:26.000000000 > +0100 > +++ linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02 > 11:47:38.000000000 +0100 > @@ -443,7 +443,8 @@ static ssize_t raw1394_read(struct file > req->req.error = RAW1394_ERROR_MEMFAULT; > } > } > - __copy_to_user(buffer, &req->req, sizeof(req->req)); > + if (__copy_to_user(buffer, &req->req, sizeof(req->req))) > + return -EFAULT;
Bug: "req" is not freed in the failure case. > > free_pending_request(req); > return sizeof(struct raw1394_request); >
pgphuQbAxMGnG.pgp
Description: PGP signature
