Re: [patch 2/2] staging: line6: use after free bug requesting version

2013-01-17 Thread Greg Kroah-Hartman
On Sun, Jan 13, 2013 at 07:15:22PM +0100, Markus Grabner wrote: > On Thursday 06 December 2012 06:18:02 Stefan Hajnoczi wrote: > > On Wed, Dec 5, 2012 at 7:44 PM, Dan Carpenter > wrote: > > > diff --git a/drivers/staging/line6/driver.c > > > b/drivers/staging/line6/driver.c index 8a5d89e..884e0d8

Re: [patch 2/2] staging: line6: use after free bug requesting version

2013-01-13 Thread Stefan Hajnoczi
On Sun, Jan 13, 2013 at 7:15 PM, Markus Grabner wrote: > Considering the suggestions made so far, I came up with the following > solution: the function "line6_send_raw_message_async" now has an additional > argument "bool copy", which indicates whether the supplied buffer should be > copied into a

Re: [patch 2/2] staging: line6: use after free bug requesting version

2013-01-13 Thread Markus Grabner
On Thursday 06 December 2012 06:18:02 Stefan Hajnoczi wrote: > On Wed, Dec 5, 2012 at 7:44 PM, Dan Carpenter wrote: > > diff --git a/drivers/staging/line6/driver.c > > b/drivers/staging/line6/driver.c index 8a5d89e..884e0d8 100644 > > --- a/drivers/staging/line6/driver.c > > +++ b/drivers/staging

Re: [patch 2/2] staging: line6: use after free bug requesting version

2013-01-08 Thread Dan Carpenter
On Tue, Jan 08, 2013 at 11:54:25PM +0100, Markus Grabner wrote: > Am Donnerstag, 6. Dezember 2012, 10:08:44 schrieb Dan Carpenter: > > On Thu, Dec 06, 2012 at 06:18:02AM +0100, Stefan Hajnoczi wrote: > > > On Wed, Dec 5, 2012 at 7:44 PM, Dan Carpenter > wrote: > > > > diff --git a/drivers/staging

Re: [patch 2/2] staging: line6: use after free bug requesting version

2013-01-08 Thread Markus Grabner
Am Donnerstag, 6. Dezember 2012, 10:08:44 schrieb Dan Carpenter: > On Thu, Dec 06, 2012 at 06:18:02AM +0100, Stefan Hajnoczi wrote: > > On Wed, Dec 5, 2012 at 7:44 PM, Dan Carpenter wrote: > > > diff --git a/drivers/staging/line6/driver.c > > > b/drivers/staging/line6/driver.c index 8a5d89e..884e

Re: [patch 2/2] staging: line6: use after free bug requesting version

2012-12-05 Thread Dan Carpenter
On Thu, Dec 06, 2012 at 06:18:02AM +0100, Stefan Hajnoczi wrote: > On Wed, Dec 5, 2012 at 7:44 PM, Dan Carpenter > wrote: > > diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c > > index 8a5d89e..884e0d8 100644 > > --- a/drivers/staging/line6/driver.c > > +++ b/drivers/s

Re: [patch 2/2] staging: line6: use after free bug requesting version

2012-12-05 Thread Stefan Hajnoczi
On Wed, Dec 5, 2012 at 7:44 PM, Dan Carpenter wrote: > diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c > index 8a5d89e..884e0d8 100644 > --- a/drivers/staging/line6/driver.c > +++ b/drivers/staging/line6/driver.c > @@ -110,7 +110,7 @@ struct message { > */ > static v

[patch 2/2] staging: line6: use after free bug requesting version

2012-12-05 Thread Dan Carpenter
In line6_version_request_async() we set up an async message but we free the buffer with the version in it before the message has been sent. I've introduced a new function line6_async_request_sent_free_buffer() which frees the data after we are done with it. I've added a "free" parameter to the li