Skip to content
Snippets Groups Projects
Commit 749d00db authored by Roel Kluin's avatar Roel Kluin Committed by Greg Kroah-Hartman
Browse files

Staging: rspiusb: Fix buffer overflow 


usb_buffer_map_sg() may return -1. This will result in a read from
pdx->PixelUrb[frameInfo][-1]

Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 5fb4d252
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
drivers/staging/rspiusb/rspiusb.c
+ 2
0
View file @ 749d00db
...@@ -716,6 +716,8 @@ static int MapUserBuffer(struct ioctl_struct *io, struct device_extension *pdx) ...@@ -716,6 +716,8 @@ static int MapUserBuffer(struct ioctl_struct *io, struct device_extension *pdx)
pdx->PixelUrb[frameInfo][i]->transfer_flags = pdx->PixelUrb[frameInfo][i]->transfer_flags =
URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT; URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT;
} }
if (i == 0)
return -EINVAL;
/* only interrupt when last URB completes */ /* only interrupt when last URB completes */
pdx->PixelUrb[frameInfo][--i]->transfer_flags &= ~URB_NO_INTERRUPT; pdx->PixelUrb[frameInfo][--i]->transfer_flags &= ~URB_NO_INTERRUPT;
pdx->pendedPixelUrbs[frameInfo] = pdx->pendedPixelUrbs[frameInfo] =
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment