Bug 78561
| Summary: | ft1000 Null pointer dereference in ft1000_hw.c | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | Maksymilian Arciemowicz (max) |
| Component: | Staging | Assignee: | drivers_staging (drivers_staging) |
| Status: | NEW --- | ||
| Severity: | normal | CC: | andrey_utkin, max |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 3.15.1 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
Posted the patch: https://patchwork.kernel.org/patch/4486071/ Thanks for the report. |
Hi, Improper use of memcpy() without verifying result from malloc() may cause null pointer dereference --------------------------- linux-3.15.1/drivers/staging/ft1000/ft1000-usb/ft1000_hw.c /* send a command to ASIC * Parameters: ft1000_usb - device structure * ptempbuffer - command buffer * size - command buffer size */ void card_send_command(struct ft1000_usb *ft1000dev, void *ptempbuffer, int size) { unsigned short temp; unsigned char *commandbuf; DEBUG("card_send_command: enter card_send_command... size=%d\n", size); commandbuf = kmalloc(size + 2, GFP_KERNEL); <============== possible NULL memcpy((void *)commandbuf + 2, (void *)ptempbuffer, size); <======= CRASH --------------------------- BR, Maksymilian Arciemowicz http://cifrex.org/