Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Staging: rspiusb: Fix buffer overflow

usb_buffer_map_sg() may return -1. This will result in a read from
pdx->PixelUrb[frameInfo][-1]

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Roel Kluin 16 years ago
parent
5fb4d2525b
commit
749d00dbf1
1 changed files with 2 additions and 0 deletions
Unified View Show Diff Stats
  1. 2 0
      drivers/staging/rspiusb/rspiusb.c

+ 2 - 0
drivers/staging/rspiusb/rspiusb.c
View File 

@@ -716,6 +716,8 @@ static int MapUserBuffer(struct ioctl_struct *io, struct device_extension *pdx)
 
 		pdx->PixelUrb[frameInfo][i]->transfer_flags =
 
 		pdx->PixelUrb[frameInfo][i]->transfer_flags =
 
 		    URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT;
 
 		    URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT;
 
 	}
 
 	}
 
+	if (i == 0)
 
+		return -EINVAL;
 
 	/* only interrupt when last URB completes */
 
 	/* only interrupt when last URB completes */
 
 	pdx->PixelUrb[frameInfo][--i]->transfer_flags &= ~URB_NO_INTERRUPT;
 
 	pdx->PixelUrb[frameInfo][--i]->transfer_flags &= ~URB_NO_INTERRUPT;
 
 	pdx->pendedPixelUrbs[frameInfo] =
 
 	pdx->pendedPixelUrbs[frameInfo] =