From: Ian Abbott <abbotti@mev.co.uk>
Date: Fri, 28 Sep 2012 11:05:05 +0000 (+0100)
Subject: s626: don't dereference insn->data
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=44acf3a7093fd0c61b7af587e59cea4fd823c826;p=comedi.git

s626: don't dereference insn->data

`s626_enc_insn_config()` is incorrectly dereferencing `insn->data` which
is a pointer to user memory.  It should be using the separate `data`
parameter that points to a copy of the data in kernel memory.

Note that this insn_config handler is being used incorrectly by this
driver anyway.  `data[0]` should be used to select the type of
configuration being performed, but this driver is treating it as a
counter preload value.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---

diff --git a/comedi/drivers/s626.c b/comedi/drivers/s626.c
index 14057ba1..059817c4 100644
--- a/comedi/drivers/s626.c
+++ b/comedi/drivers/s626.c
@@ -2263,7 +2263,7 @@ static int s626_enc_insn_config(comedi_device * dev, comedi_subdevice * s,
 	//  (data==NULL) ? (Preloadvalue=0) : (Preloadvalue=data[0]);
 
 	k->SetMode(dev, k, Setup, TRUE);
-	Preload(dev, k, *(insn->data));
+	Preload(dev, k, data[0]);
 	k->PulseIndex(dev, k);
 	SetLatchSource(dev, k, valueSrclatch);
 	k->SetEnable(dev, k, (uint16_t) (enab != 0));