From 1eb3e856ef2df766dcd00c40ec6f4e32fc1079b9 Mon Sep 17 00:00:00 2001
From: Ian Abbott <abbotti@mev.co.uk>
Date: Fri, 9 Nov 2007 13:50:14 +0000
Subject: [PATCH] For COMEDI_CMD ioctl, check chanlist_len > 0.

---
 comedi/comedi_fops.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c
index ecea4b4a..2513b014 100644
--- a/comedi/comedi_fops.c
+++ b/comedi/comedi_fops.c
@@ -942,12 +942,20 @@ static int do_cmd_ioctl(comedi_device * dev, void *arg, void *file)
 
 	/* make sure channel/gain list isn't too long */
 	if (user_cmd.chanlist_len > s->len_chanlist) {
-		DPRINTK("channel/gain list too long %d > %d\n",
+		DPRINTK("channel/gain list too long %u > %d\n",
 			user_cmd.chanlist_len, s->len_chanlist);
 		ret = -EINVAL;
 		goto cleanup;
 	}
 
+	/* make sure channel/gain list isn't too short */
+	if (user_cmd.chanlist_len < 1) {
+		DPRINTK("channel/gain list too short %u < 1\n",
+			user_cmd.chanlist_len);
+		ret = -EINVAL;
+		goto cleanup;
+	}
+
 	if (async->cmd.chanlist)
 		kfree(async->cmd.chanlist);
 	async->cmd = user_cmd;
-- 
2.26.2