提交 e9013fb6 编写于 作者: D Dan Carpenter 提交者: Mauro Carvalho Chehab

[media] ddbridge: fix ddb_ioctl()

There were a several problems in this function:

1) Potential integer overflow in the comparison:
	if (fio.write_len + fio.read_len > 1028) {

2) If the user gave bogus values for write_len and read_len then
   returning -EINVAL is more appropriate than returning -ENOMEM.

3) wbuf was set to the address of an array and could never be NULL
   so I removed the pointless NULL check.

4) The call to vfree(wbuf) was improper.  That array is part of a
   larger struct and isn't allocated by itself.

5) flashio() can't actually fail, but we may as well add error
   handling in case this changes later.

6) In the default case where an ioctl is not implemented then
   returning -ENOTTY is more appropriate than returning -EFAULT.
Signed-off-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@redhat.com>
上级 0db4bf42
...@@ -1438,7 +1438,7 @@ static long ddb_ioctl(struct file *file, unsigned int cmd, unsigned long arg) ...@@ -1438,7 +1438,7 @@ static long ddb_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{ {
struct ddb *dev = file->private_data; struct ddb *dev = file->private_data;
void *parg = (void *)arg; void *parg = (void *)arg;
int res = -EFAULT; int res;
switch (cmd) { switch (cmd) {
case IOCTL_DDB_FLASHIO: case IOCTL_DDB_FLASHIO:
...@@ -1447,29 +1447,29 @@ static long ddb_ioctl(struct file *file, unsigned int cmd, unsigned long arg) ...@@ -1447,29 +1447,29 @@ static long ddb_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
u8 *rbuf, *wbuf; u8 *rbuf, *wbuf;
if (copy_from_user(&fio, parg, sizeof(fio))) if (copy_from_user(&fio, parg, sizeof(fio)))
break; return -EFAULT;
if (fio.write_len + fio.read_len > 1028) {
printk(KERN_ERR "IOBUF too small\n"); if (fio.write_len > 1028 || fio.read_len > 1028)
return -ENOMEM; return -EINVAL;
} if (fio.write_len + fio.read_len > 1028)
return -EINVAL;
wbuf = &dev->iobuf[0]; wbuf = &dev->iobuf[0];
if (!wbuf)
return -ENOMEM;
rbuf = wbuf + fio.write_len; rbuf = wbuf + fio.write_len;
if (copy_from_user(wbuf, fio.write_buf, fio.write_len)) {
vfree(wbuf); if (copy_from_user(wbuf, fio.write_buf, fio.write_len))
break; return -EFAULT;
} res = flashio(dev, wbuf, fio.write_len, rbuf, fio.read_len);
res = flashio(dev, wbuf, fio.write_len, if (res)
rbuf, fio.read_len); return res;
if (copy_to_user(fio.read_buf, rbuf, fio.read_len)) if (copy_to_user(fio.read_buf, rbuf, fio.read_len))
res = -EFAULT; return -EFAULT;
break; break;
} }
default: default:
break; return -ENOTTY;
} }
return res; return 0;
} }
static const struct file_operations ddb_fops = { static const struct file_operations ddb_fops = {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册