diff options
author | David S. Miller <davem@sunset.davemloft.net> | 2006-09-18 04:47:13 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-18 04:47:13 -0400 |
commit | b9b64e6e89fc5a6ef220747115c5b7764614ca3f (patch) | |
tree | 2d28434f793807b4a83bd5dc139e165c7c317389 /drivers/sbus/char/openprom.c | |
parent | 803db244b9f71102e366fd689000c1417b9a7508 (diff) |
[OPENPROMIO]: Handle current_node being NULL correctly.
If the user tries to traverse to the next node of the
last node, we get NULL in current_node and a zero phandle
returned. That's fine, but if the user tries to obtain
properties in that state, we try to dereference a NULL
pointer in the downcall to the of_*() routines.
So protect against that.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/sbus/char/openprom.c')
-rw-r--r-- | drivers/sbus/char/openprom.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c index 293bb2fdb1d5..2f698763ba5d 100644 --- a/drivers/sbus/char/openprom.c +++ b/drivers/sbus/char/openprom.c | |||
@@ -145,8 +145,9 @@ static int opromgetprop(void __user *argp, struct device_node *dp, struct openpr | |||
145 | void *pval; | 145 | void *pval; |
146 | int len; | 146 | int len; |
147 | 147 | ||
148 | pval = of_get_property(dp, op->oprom_array, &len); | 148 | if (!dp || |
149 | if (!pval || len <= 0 || len > bufsize) | 149 | !(pval = of_get_property(dp, op->oprom_array, &len)) || |
150 | len <= 0 || len > bufsize) | ||
150 | return copyout(argp, op, sizeof(int)); | 151 | return copyout(argp, op, sizeof(int)); |
151 | 152 | ||
152 | memcpy(op->oprom_array, pval, len); | 153 | memcpy(op->oprom_array, pval, len); |
@@ -161,6 +162,8 @@ static int opromnxtprop(void __user *argp, struct device_node *dp, struct openpr | |||
161 | struct property *prop; | 162 | struct property *prop; |
162 | int len; | 163 | int len; |
163 | 164 | ||
165 | if (!dp) | ||
166 | return copyout(argp, op, sizeof(int)); | ||
164 | if (op->oprom_array[0] == '\0') { | 167 | if (op->oprom_array[0] == '\0') { |
165 | prop = dp->properties; | 168 | prop = dp->properties; |
166 | if (!prop) | 169 | if (!prop) |
@@ -266,9 +269,13 @@ static int oprompci2node(void __user *argp, struct device_node *dp, struct openp | |||
266 | 269 | ||
267 | static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data) | 270 | static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data) |
268 | { | 271 | { |
272 | phandle ph = 0; | ||
273 | |||
269 | dp = of_find_node_by_path(op->oprom_array); | 274 | dp = of_find_node_by_path(op->oprom_array); |
275 | if (dp) | ||
276 | ph = dp->node; | ||
270 | data->current_node = dp; | 277 | data->current_node = dp; |
271 | *((int *)op->oprom_array) = dp->node; | 278 | *((int *)op->oprom_array) = ph; |
272 | op->oprom_size = sizeof(int); | 279 | op->oprom_size = sizeof(int); |
273 | 280 | ||
274 | return copyout(argp, op, bufsize + sizeof(int)); | 281 | return copyout(argp, op, bufsize + sizeof(int)); |