From: Ian Abbott Date: Tue, 18 Sep 2012 19:00:08 +0000 (+0100) Subject: comedi_fops: fix user-memory dereference for INSN_INTTRIG X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=edac7e58d4b28e03b5d76d83b8890469c5e83c6a;p=comedi.git comedi_fops: fix user-memory dereference for INSN_INTTRIG The parse_insn() function shouldn't dereference `insn->data` as that is pointing to user-space memory. It should deference the separate `data` parameter instead, which points to a kernel copy of the data. Only the `INSN_INTTRIG` case needs fixing. Fix it. Signed-off-by: Ian Abbott --- diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c index 53d6acaf..d4e209db 100644 --- a/comedi/comedi_fops.c +++ b/comedi/comedi_fops.c @@ -882,7 +882,7 @@ static int parse_insn(comedi_device * dev, comedi_insn * insn, lsampl_t * data, ret = -EAGAIN; break; } - ret = s->async->inttrig(dev, s, insn->data[0]); + ret = s->async->inttrig(dev, s, data[0]); if (ret >= 0) ret = 1; break;