Hey All,
Here are a few bug fixes in net/wanrouter/wanmain.c
line 765: use var conf of size 1272 bytes on the stack
line 617: use freed ptr conf
line 803: forget to free pppdev before aborting during another null check
Thanks!
-aki-
--- net/wanrouter/wanmain.c.orig Thu Apr 12 12:11:39 2001
+++ net/wanrouter/wanmain.c Tue May 22 23:49:30 2001
@@ -611,10 +611,10 @@
if (conf->data_size && conf->data){
if(conf->data_size > 128000 || conf->data_size < 0) {
- kfree(conf);
printk(KERN_INFO
"%s: ERROR, Invalid firmware data size %i !\n",
wandev->name, conf->data_size);
+ kfree(conf);
return -EINVAL;;
}
@@ -762,7 +762,7 @@
static int device_new_if (wan_device_t *wandev, wanif_conf_t *u_conf)
{
- wanif_conf_t conf;
+ wanif_conf_t *conf;
netdevice_t *dev=NULL;
#ifdef CONFIG_WANPIPE_MULTPPP
struct ppp_device *pppdev=NULL;
@@ -773,26 +773,33 @@
return -ENODEV;
#if defined (LINUX_2_1) || defined (LINUX_2_4)
- if(copy_from_user(&conf, u_conf, sizeof(wanif_conf_t)))
+ if(copy_from_user(conf, u_conf, sizeof(wanif_conf_t))){
+ kfree(conf);
return -EFAULT;
+ }
#else
err = verify_area(VERIFY_READ, u_conf, sizeof(wanif_conf_t));
- if (err)
+ if (err){
+ kfree(conf);
return err;
- memcpy_fromfs((void*)&conf, (void*)u_conf, sizeof(wanif_conf_t));
+ }
+ memcpy_fromfs((void*)conf, (void*)u_conf, sizeof(wanif_conf_t));
#endif
- if (conf.magic != ROUTER_MAGIC)
+ if (conf->magic != ROUTER_MAGIC){
+ kfree(conf);
return -EINVAL;
+ }
err = -EPROTONOSUPPORT;
#ifdef CONFIG_WANPIPE_MULTPPP
- if (conf.config_id == WANCONFIG_MPPP){
+ if (conf->config_id == WANCONFIG_MPPP){
pppdev = kmalloc(sizeof(struct ppp_device), GFP_KERNEL);
if (pppdev == NULL){
+ kfree(conf);
return -ENOBUFS;
}
memset(pppdev, 0, sizeof(struct ppp_device));
@@ -800,6 +807,8 @@
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,16)
pppdev->dev = kmalloc(sizeof(netdevice_t), GFP_KERNEL);
if (pppdev->dev == NULL){
+ kfree(conf);
+ kfree(pppdev);
return -ENOBUFS;
}
memset(pppdev->dev, 0, sizeof(netdevice_t));
@@ -817,6 +826,7 @@
dev = kmalloc(sizeof(netdevice_t), GFP_KERNEL);
if (dev == NULL){
+ kfree(conf);
return -ENOBUFS;
}
memset(dev, 0, sizeof(netdevice_t));
@@ -825,10 +835,11 @@
#else
/* Sync PPP is disabled */
- if (conf.config_id != WANCONFIG_MPPP){
+ if (conf->config_id != WANCONFIG_MPPP){
dev = kmalloc(sizeof(netdevice_t), GFP_KERNEL);
if (dev == NULL){
+ kfree(conf);
return -ENOBUFS;
}
memset(dev, 0, sizeof(netdevice_t));
@@ -836,6 +847,7 @@
}else{
printk(KERN_INFO "%s: Wanpipe Mulit-Port PPP support has not been
compiled in!\n",
wandev->name);
+ kfree(conf);
return err;
}
#endif
@@ -876,6 +888,7 @@
++wandev->ndev;
unlock_adapter_irq(&wandev->lock, &smp_flags);
+ kfree(conf);
return 0; /* done !!! */
}
}
@@ -891,18 +904,19 @@
#ifdef CONFIG_WANPIPE_MULTPPP
- if (conf.config_id == WANCONFIG_MPPP){
+ if (conf->config_id == WANCONFIG_MPPP){
kfree(pppdev);
}else{
kfree(dev);
}
#else
/* Sync PPP is disabled */
- if (conf.config_id != WANCONFIG_MPPP){
+ if (conf->config_id != WANCONFIG_MPPP){
kfree(dev);
}
#endif
+ kfree(conf);
return err;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu May 31 2001 - 21:00:32 EST