Hi,
Anton Altaparmakov wrote:
On Wed, 2005-03-02 at 12:10 +0100, Panagiotis Issaris wrote:
In the raw1394 driver the failure handling for
a __copy_to_user call is missing.
Your patch is obviously incorrect as it doesn't free the request before
it returns.
Oops. Thanks for replying! Any more problems with the updated
patch?
With friendly regards,
Takis
--
K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
http://people.mech.kuleuven.ac.be/~pissaris/
diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c linux-2.6.11-pi/drivers/ieee1394/raw1394.c
--- linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02 11:44:26.000000000 +0100
+++ linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02 13:15:58.000000000 +0100
@@ -443,7 +443,11 @@ static ssize_t raw1394_read(struct file
req->req.error = RAW1394_ERROR_MEMFAULT;
}
}
- __copy_to_user(buffer, &req->req, sizeof(req->req));
+ if (__copy_to_user(buffer, &req->req, sizeof(req->req)))
+ {
+ free_pending_request(req);
+ return -EFAULT;
+ }
free_pending_request(req);
return sizeof(struct raw1394_request);
