Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 46fd5a35 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

staging: comedi: verify array index is correct before using it 



[ Upstream commit ef75e14a6c935eec82abac07ab68e388514e39bc ]

This code reads from the array before verifying that "trig" is a valid
index.  If the index is wildly out of bounds then reading from an
invalid address could lead to an Oops.

Fixes: a8c66b68 ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarIan Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20200709102936.GA20875@mwanda


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 22bc69d5

drivers/staging/comedi/drivers/addi_apci_1500.c

+7 −3
Original line number Diff line number Diff line
@@ -456,9 +456,9 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev, 
	unsigned int lo_mask = data[5] << shift;

	unsigned int chan_mask = hi_mask | lo_mask;

	unsigned int old_mask = (1 << shift) - 1;

	unsigned int pm = devpriv->pm[trig] & old_mask;

	unsigned int pt = devpriv->pt[trig] & old_mask;

	unsigned int pp = devpriv->pp[trig] & old_mask;

	unsigned int pm;

	unsigned int pt;

	unsigned int pp;



	if (trig > 1) {

		dev_dbg(dev->class_dev,
@@ -471,6 +471,10 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev, 
		return -EINVAL;

	}



	pm = devpriv->pm[trig] & old_mask;

	pt = devpriv->pt[trig] & old_mask;

	pp = devpriv->pp[trig] & old_mask;



	switch (data[2]) {

	case COMEDI_DIGITAL_TRIG_DISABLE:

		/* clear trigger configuration */