For COMEDI_CMD ioctl, check chanlist_len > 0.

author Ian Abbott <abbotti@mev.co.uk>

Fri, 9 Nov 2007 13:50:14 +0000 (13:50 +0000)

committer Ian Abbott <abbotti@mev.co.uk>

Fri, 9 Nov 2007 13:50:14 +0000 (13:50 +0000)
author Ian Abbott <abbotti@mev.co.uk>
Fri, 9 Nov 2007 13:50:14 +0000 (13:50 +0000)
committer Ian Abbott <abbotti@mev.co.uk>
Fri, 9 Nov 2007 13:50:14 +0000 (13:50 +0000)
diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c

index ecea4b4a679668be813c839ef92c3356c0f839da..2513b014e528902e7ba917df713a088076d2c9a9 100644 (file)
--- a/comedi/comedi_fops.c
+++ b/comedi/comedi_fops.c
@@ -942,12 +942,20 @@ static int do_cmd_ioctl(comedi_device * dev, void *arg, void *file)
  
         /* make sure channel/gain list isn't too long */
         if (user_cmd.chanlist_len > s->len_chanlist) {
-               DPRINTK("channel/gain list too long %d > %d\n",
+               DPRINTK("channel/gain list too long %u > %d\n",
                         user_cmd.chanlist_len, s->len_chanlist);
                 ret = -EINVAL;
                 goto cleanup;
         }
  
+       /* make sure channel/gain list isn't too short */
+       if (user_cmd.chanlist_len < 1) {
+               DPRINTK("channel/gain list too short %u < 1\n",
+                       user_cmd.chanlist_len);
+               ret = -EINVAL;
+               goto cleanup;
+       }
+
         if (async->cmd.chanlist)
                 kfree(async->cmd.chanlist);
         async->cmd = user_cmd;
author	Ian Abbott <abbotti@mev.co.uk>
	Fri, 9 Nov 2007 13:50:14 +0000 (13:50 +0000)
committer	Ian Abbott <abbotti@mev.co.uk>
	Fri, 9 Nov 2007 13:50:14 +0000 (13:50 +0000)