Commit 1a4c6c5d authored by Gerd Knorr's avatar Gerd Knorr Committed by Linus Torvalds

[PATCH] Fix oops in video_register_device

degerrit@web.de wrote:
   "I caused an oops in unusual circumstances by accidentally "forcing" a
    video device number which was too high or already taken (don't know
    which). I assume this probably shouldn't give an oops (though it was my
     fault), so here's a bugreport..."

Fixed by adding a range check for the number passed in by the driver.
parent fb2fc47c
...@@ -316,7 +316,14 @@ int video_register_device(struct video_device *vfd, int type, int nr) ...@@ -316,7 +316,14 @@ int video_register_device(struct video_device *vfd, int type, int nr)
/* pick a minor number */ /* pick a minor number */
down(&videodev_lock); down(&videodev_lock);
if (-1 == nr) { if (nr >= 0 && nr < end-base) {
/* use the one the driver asked for */
i = base+nr;
if (NULL != video_device[i]) {
up(&videodev_lock);
return -ENFILE;
}
} else {
/* use first free */ /* use first free */
for(i=base;i<end;i++) for(i=base;i<end;i++)
if (NULL == video_device[i]) if (NULL == video_device[i])
...@@ -325,13 +332,6 @@ int video_register_device(struct video_device *vfd, int type, int nr) ...@@ -325,13 +332,6 @@ int video_register_device(struct video_device *vfd, int type, int nr)
up(&videodev_lock); up(&videodev_lock);
return -ENFILE; return -ENFILE;
} }
} else {
/* use the one the driver asked for */
i = base+nr;
if (NULL != video_device[i]) {
up(&videodev_lock);
return -ENFILE;
}
} }
video_device[i]=vfd; video_device[i]=vfd;
vfd->minor=i; vfd->minor=i;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment