From c65c64d0f0b269b1239fdce253fd4717281cc98d Mon Sep 17 00:00:00 2001 From: H Hartley Sweeten Date: Fri, 25 Jan 2013 15:02:06 -0700 Subject: [PATCH] staging: comedi: quatech_daqp_cs: fix possible memory dereference issue In daqp_attach(), the first options value passed in the comedi_devconfig is used as an index to the private dev_table[] in this driver. This table is used to pass the pcmcia_device to the comedi_driver. Fix the code so that the index is checked before the table is accessed so that we don't get a possible memory dereference BUG. Change the error returned to the comedi core from -EIO to -ENODEV. Signed-off-by: H Hartley Sweeten Cc: Ian Abbott Signed-off-by: Greg Kroah-Hartman --- drivers/staging/comedi/drivers/quatech_daqp_cs.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/staging/comedi/drivers/quatech_daqp_cs.c b/drivers/staging/comedi/drivers/quatech_daqp_cs.c index 185632e70b97..2a5f9ab6f7c1 100644 --- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c +++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c @@ -733,15 +733,16 @@ static int daqp_do_insn_write(struct comedi_device *dev, static int daqp_attach(struct comedi_device *dev, struct comedi_devconfig *it) { - int ret; - struct local_info_t *local = dev_table[it->options[0]]; + struct local_info_t *local; struct comedi_subdevice *s; + int ret; - if (it->options[0] < 0 || it->options[0] >= MAX_DEV || !local) { - dev_err(dev->class_dev, "No such daqp device %d\n", - it->options[0]); - return -EIO; - } + if (it->options[0] < 0 || it->options[0] >= MAX_DEV) + return -ENODEV; + + local = dev_table[it->options[0]]; + if (!local) + return -ENODEV; /* Typically brittle code that I don't completely understand, * but "it works on my card". The intent is to pull the model -- 2.30.2