firewire: fix NULL pointer deref. and resource leak
By supplying ioctl()s in the wrong order, a userspace client was able to trigger NULL pointer dereferences. Furthermore, by calling ioctl_create_iso_context more than once, new contexts could be created without ever freeing the previously created contexts. Thanks to Anders Blomdell for the report. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
This commit is contained in:
parent
09d7328e62
commit
fae6031214
@ -646,6 +646,10 @@ static int ioctl_create_iso_context(struct client *client, void *buffer)
|
||||
struct fw_cdev_create_iso_context *request = buffer;
|
||||
struct fw_iso_context *context;
|
||||
|
||||
/* We only support one context at this time. */
|
||||
if (client->iso_context != NULL)
|
||||
return -EBUSY;
|
||||
|
||||
if (request->channel > 63)
|
||||
return -EINVAL;
|
||||
|
||||
@ -792,8 +796,9 @@ static int ioctl_start_iso(struct client *client, void *buffer)
|
||||
{
|
||||
struct fw_cdev_start_iso *request = buffer;
|
||||
|
||||
if (request->handle != 0)
|
||||
if (client->iso_context == NULL || request->handle != 0)
|
||||
return -EINVAL;
|
||||
|
||||
if (client->iso_context->type == FW_ISO_CONTEXT_RECEIVE) {
|
||||
if (request->tags == 0 || request->tags > 15)
|
||||
return -EINVAL;
|
||||
@ -810,7 +815,7 @@ static int ioctl_stop_iso(struct client *client, void *buffer)
|
||||
{
|
||||
struct fw_cdev_stop_iso *request = buffer;
|
||||
|
||||
if (request->handle != 0)
|
||||
if (client->iso_context == NULL || request->handle != 0)
|
||||
return -EINVAL;
|
||||
|
||||
return fw_iso_context_stop(client->iso_context);
|
||||
|
Loading…
Reference in New Issue
Block a user