Hi!
> From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>
> [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ]
>
> If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So
> then the "strlen(model_names[i]) <= name_len" is true because strlen()
> is unsigned and -ENOENT is type promoted to a very high positive value.
> Then the "strncmp(name, model_names[i], name_len)" uses uninitialized
> data because "name" is uninitialized.
This causes memory leak, AFAICT.
Signed-off-by: Pavel Machek (CIP) <pavel@xxxxxxx>
Best regards,
Pavel
diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c
index eaf94b817dbc..2ac9d24d3f0c 100644
--- a/drivers/media/firewire/firedtv-fw.c
+++ b/drivers/media/firewire/firedtv-fw.c
@@ -271,8 +271,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
name_len = fw_csr_string(unit->directory, CSR_MODEL,
name, sizeof(name));
- if (name_len < 0)
- return name_len;
+ if (name_len < 0) {
+ err = name_len;
+ goto fail_free;
+ }
for (i = ARRAY_SIZE(model_names); --i; )
if (strlen(model_names[i]) <= name_len &&
strncmp(name, model_names[i], name_len) == 0)
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Attachment:
signature.asc
Description: Digital signature
