comedi_fops: fix user-memory dereference for INSN_INTTRIG

The parse_insn() function shouldn't dereference `insn->data` as that is
pointing to user-space memory.  It should deference the separate `data`
parameter instead, which points to a kernel copy of the data.  Only the
`INSN_INTTRIG` case needs fixing.  Fix it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>

diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c
index 53d6acafd5cd91c207b3d40737c2c75fe548c4a0..d4e209dbf804956256a45689e99c2f75a00b28d2 100644 (file)
--- a/comedi/comedi_fops.c
+++ b/comedi/comedi_fops.c
@@ -882,7 +882,7 @@ static int parse_insn(comedi_device * dev, comedi_insn * insn, lsampl_t * data,
                                ret = -EAGAIN;
                                break;
                        }
-                       ret = s->async->inttrig(dev, s, insn->data[0]);
+                       ret = s->async->inttrig(dev, s, data[0]);
                        if (ret >= 0)
                                ret = 1;
                        break;