[PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer

See http://bugzilla.kernel.org/show_bug.cgi?id=6617. This function dereference a __user pointer. Signed-off-by: Philippe Retornaz <couriousous@mandriva.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer
See http://bugzilla.kernel.org/show_bug.cgi?id=6617. This function dereference a __user pointer. Signed-off-by: Philippe Retornaz <couriousous@mandriva.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
786dc1d3 · Philippe Retornaz · Greg Kroah-Hartman · 6ad07129 · 786dc1d3
Commit 786dc1d3 authored Jun 01, 2006 by Philippe Retornaz Committed by Greg Kroah-Hartman Jun 21, 2006
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

drivers/usb/core/devio.c drivers/usb/core/devio.c +6 -2

No files found.
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1078,7 +1078,9 @@ static int proc_submiturb(struct dev_state *ps, void __user *arg)
 	if (copy_from_user(&uurb, arg, sizeof(uurb)))
 		return -EFAULT;

-	return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg);
+	return proc_do_submiturb(ps, &uurb,
+		(struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
+		arg);
 }

 static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
@@ -1203,7 +1205,9 @@ static int proc_submiturb_compat(struct dev_state *ps, void __user *arg)
 	if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg))
 		return -EFAULT;

-	return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg);
+	return proc_do_submiturb(ps, &uurb,
+		(struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
+		arg);
 }

 static int processcompl_compat(struct async *as, void __user * __user *arg)