commit fae603121428ba83b7343c88e68a7144525ab3eb
author Stefan Richter <stefanr@s5r6.in-berlin.de> Wed Feb 20 21:10:06 2008 +0100
committer Stefan Richter <stefanr@s5r6.in-berlin.de> Thu Feb 21 19:05:56 2008 +0100
tree 41283a905b089cee26103187e54935abffb88207
parent 09d7328e62e3b4cefe4bf3eeeeacb54f62a7ae5c

firewire: fix NULL pointer deref. and resource leak

By supplying ioctl()s in the wrong order, a userspace client was able to
trigger NULL pointer dereferences.  Furthermore, by calling
ioctl_create_iso_context more than once, new contexts could be created
without ever freeing the previously created contexts.

Thanks to Anders Blomdell for the report.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

drivers/firewire/fw-cdev.c

diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c
index 44ccee2..46bc197 100644
--- a/drivers/firewire/fw-cdev.c
+++ b/drivers/firewire/fw-cdev.c
@@ -646,6 +646,10 @@
 	struct fw_cdev_create_iso_context *request = buffer;
 	struct fw_iso_context *context;
 
+	/* We only support one context at this time. */
+	if (client->iso_context != NULL)
+		return -EBUSY;
+
 	if (request->channel > 63)
 		return -EINVAL;
 
@@ -792,8 +796,9 @@
 {
 	struct fw_cdev_start_iso *request = buffer;
 
-	if (request->handle != 0)
+	if (client->iso_context == NULL || request->handle != 0)
 		return -EINVAL;
+
 	if (client->iso_context->type == FW_ISO_CONTEXT_RECEIVE) {
 		if (request->tags == 0 || request->tags > 15)
 			return -EINVAL;
@@ -810,7 +815,7 @@
 {
 	struct fw_cdev_stop_iso *request = buffer;
 
-	if (request->handle != 0)
+	if (client->iso_context == NULL || request->handle != 0)
 		return -EINVAL;
 
 	return fw_iso_context_stop(client->iso_context);