From d0acfa404d8a10c55a1756adc8bdcf6b636c2980 Mon Sep 17 00:00:00 2001 From: Ian Abbott Date: Thu, 15 Dec 2011 19:06:37 +0000 Subject: [PATCH] s526: don't access *data when insn->n == 0 Due to recent change to do_insnlist_ioctl() and do_insn_ioctl(), the 'data' pointer will be NULL when insn->n == 0. Do not access *data in this case. Also the INSN_WRITE code for pulse-train generation should only access data[1] if insn->n >= 2. Signed-off-by: Ian Abbott --- comedi/drivers/s526.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/comedi/drivers/s526.c b/comedi/drivers/s526.c index 818b1c94..b6670582 100644 --- a/comedi/drivers/s526.c +++ b/comedi/drivers/s526.c @@ -743,6 +743,11 @@ static int s526_gpct_winsn(comedi_device * dev, comedi_subdevice * s, printk("s526: GPCT_INSN_WRITE on channel %d\n", subdev_channel); cmReg.value = inw(ADDR_CHAN_REG(REG_C0M, subdev_channel)); printk("s526: Counter Mode Register: %x\n", cmReg.value); + if (insn->n < 1) { + printk("S525: INSN_WRITE: Can't handle data length %u\n", + insn->n); + return -EINVAL; + } // Check what Application of Counter this channel is configured for switch (devpriv->s526_gpct_config[subdev_channel].app) { case PositionMeasurement: @@ -767,7 +772,11 @@ static int s526_gpct_winsn(comedi_device * dev, comedi_subdevice * s, pulse frequency on the selected source */ printk("S526: INSN_WRITE: PTG\n"); - if ((insn->data[1] > insn->data[0]) && (insn->data[0] > 0)) { + if (insn->n < 2) { + printk("s526: INSN_WRITE: PTG: Problem with data length -> %u\n", + insn->n); + return -EINVAL; + } else if ((insn->data[1] > insn->data[0]) && (insn->data[0] > 0)) { (devpriv->s526_gpct_config[subdev_channel]).data[0] = insn->data[0]; (devpriv->s526_gpct_config[subdev_channel]).data[1] = -- 2.26.2