User pointer dereferencing
Marcelo Tosatti
marcelo at kvack.org
Tue Jun 6 16:25:45 EDT 2006
Guys,
You cannot dereference a user pointer directly, thats why
copy_from_user/copy_to_user exists. Otherwise the user could pass an
invalid pointer and boom.
This change from 5.110.5 -> 5.110.7 is broken.
diff -Nur USB-8388-LINUX26-X86-5.110.5.p0-26318.P4/src_usb8388/wlan/wlan_wext.c USB-8388-FEDORA26-X86-5.110.7.p0-26318.P7/src_usb8388/wlan/wlan_wext.c
--- USB-8388-LINUX26-X86-5.110.5.p0-26318.P4/src_usb8388/wlan/wlan_wext.c 2006-04-27 22:50:38.000000000 -0300
+++ USB-8388-FEDORA26-X86-5.110.7.p0-26318.P7/src_usb8388/wlan/wlan_wext.c 2006-06-06 15:19:30.000000000 -0300
@@ -2572,16 +2632,14 @@
init_waitqueue_head(&pCmdNode->cmdwait_q);
pCmdPtr = (HostCmd_DS_GEN *) pCmdNode->BufVirtualAddr;
- if (copy_from_user(&gencmd, req->ifr_data, sizeof(gencmd))) {
- PRINTM(INFO, "Copy from user failed\n");
- return -EFAULT;
- }
+ gencmd = (HostCmd_DS_GEN *) req->ifr_data;
/*
* Copy the whole command into the command buffer
*/
if (copy_from_user(pCmdPtr, req->ifr_data, gencmd->Size)) {
PRINTM(INFO, "Copy from user failed\n");
+ kfree(tempResponseBuffer);
return -EFAULT;
}
More information about the libertas-dev
mailing list