mtd/drivers/mtd cmdline.c,1.4,1.5

[rmk at infradead.org]

Update of /home/cvs/mtd/drivers/mtd
In directory phoenix.infradead.org:/tmp/cvs-serv2939

Modified Files:
	cmdline.c 
Log Message:
Avoid bad pointer dereferences in mtd partition cmd line parsing

In response to RMK's message to ipaq at handhelds.org
(http://www.handhelds.org/pipermail/ipaq/2002-November/016028.html),
checking the return value from memparse() before using the output
pointers when parsing mtd partition specs.

Patch from Dave Neuer.


Index: cmdline.c
===================================================================
RCS file: /home/cvs/mtd/drivers/mtd/cmdline.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- cmdline.c	13 Sep 2002 01:18:38 -0000	1.4
+++ cmdline.c	6 Nov 2002 22:40:04 -0000	1.5
@@ -92,6 +92,11 @@
 	else
 	{
 		size = memparse(s, &s);
+		if (!size)
+		{
+			printk(KERN_ERR ERRP "couldn't parse number from input string\n");
+			return 0;
+		}
 		if (size < PAGE_SIZE)
 		{
 			printk(KERN_ERR ERRP "partition size too small (%lx)\n", size);
@@ -105,8 +110,13 @@
         /* check for offset */
         if (*s == '@') 
 	{
-           s++;
-           offset = memparse(s, &s);
+                s++;
+                offset = memparse(s, &s);
+		if (!offset)
+		{
+			printk(KERN_ERR ERRP "couldn't parse number from input string\n");
+			return 0;
+		}
         }
         /* now look for name */
 	if (*s == '(')
@@ -241,6 +251,17 @@
 				0,		/* first partition */
 				(unsigned char**)&this_mtd, /* out: extra mem */
 				mtd_id_len + 1 + sizeof(*this_mtd));
+		if(!parts)
+		{
+			/*
+			 * An error occurred. We're either:
+			 * a) out of memory, or
+			 * b) in the middle of the partition spec
+			 * Either way, this mtd is hosed and we're
+			 * unlikely to succeed in parsing any more
+			 */
+			 return 0;
+		 }
 
 		/* enter results */	    
 		this_mtd->parts = parts;