summaryrefslogtreecommitdiff
path: root/drivers/staging
diff options
context:
space:
mode:
authorVasiliy Kulikov <segooon@gmail.com>2010-10-10 21:28:51 +0400
committerGreg Kroah-Hartman <gregkh@suse.de>2010-11-09 13:24:13 -0800
commitea07a9f2557b8ea99a0cdd778a5d94a7495bb049 (patch)
treef90e84e0fd92803297814adbc04ec43ca8a7d1d2 /drivers/staging
parentc888d4e7b2644c7ff17098b0b521c29b98e0abd0 (diff)
staging: stradis: fix error handling and information leak to userland
configure_saa7146() didn't free irq on error. saa_open() didn't decrease reference count of saa on error. saa_ioctl() leaked information from the kernel stack to userland as it didn't fill copied structs with zeros. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/staging')
-rw-r--r--drivers/staging/stradis/stradis.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/drivers/staging/stradis/stradis.c b/drivers/staging/stradis/stradis.c
index a057824e7ebc..807dd7eb748f 100644
--- a/drivers/staging/stradis/stradis.c
+++ b/drivers/staging/stradis/stradis.c
@@ -1286,6 +1286,7 @@ static long saa_ioctl(struct file *file,
case VIDIOCGCAP:
{
struct video_capability b;
+ memset(&b, 0, sizeof(b));
strcpy(b.name, saa->video_dev.name);
b.type = VID_TYPE_CAPTURE | VID_TYPE_OVERLAY |
VID_TYPE_CLIPPING | VID_TYPE_FRAMERAM |
@@ -1416,6 +1417,7 @@ static long saa_ioctl(struct file *file,
case VIDIOCGWIN:
{
struct video_window vw;
+ memset(&vw, 0, sizeof(vw));
vw.x = saa->win.x;
vw.y = saa->win.y;
vw.width = saa->win.width;
@@ -1448,6 +1450,7 @@ static long saa_ioctl(struct file *file,
case VIDIOCGFBUF:
{
struct video_buffer v;
+ memset(&v, 0, sizeof(v));
v.base = (void *)saa->win.vidadr;
v.height = saa->win.sheight;
v.width = saa->win.swidth;
@@ -1492,6 +1495,7 @@ static long saa_ioctl(struct file *file,
case VIDIOCGAUDIO:
{
struct video_audio v;
+ memset(&v, 0, sizeof(v));
v = saa->audio_dev;
v.flags &= ~(VIDEO_AUDIO_MUTE | VIDEO_AUDIO_MUTABLE);
v.flags |= VIDEO_AUDIO_MUTABLE | VIDEO_AUDIO_VOLUME;
@@ -1534,6 +1538,7 @@ static long saa_ioctl(struct file *file,
case VIDIOCGUNIT:
{
struct video_unit vu;
+ memset(&vu, 0, sizeof(vu));
vu.video = saa->video_dev.minor;
vu.vbi = VIDEO_NO_UNIT;
vu.radio = VIDEO_NO_UNIT;
@@ -1888,6 +1893,7 @@ static int saa_open(struct file *file)
saa->user++;
if (saa->user > 1) {
+ saa->user--;
unlock_kernel();
return 0; /* device open already, don't reset */
}
@@ -2000,10 +2006,13 @@ static int __devinit configure_saa7146(struct pci_dev *pdev, int num)
if (retval < 0) {
dev_err(&pdev->dev, "%d: error in registering video device!\n",
num);
- goto errio;
+ goto errirq;
}
return 0;
+
+errirq:
+ free_irq(saa->irq, saa);
errio:
iounmap(saa->saa7146_mem);
err: