Hi! > From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] > > If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So > then the "strlen(model_names[i]) <= name_len" is true because strlen() > is unsigned and -ENOENT is type promoted to a very high positive value. > Then the "strncmp(name, model_names[i], name_len)" uses uninitialized > data because "name" is uninitialized. This causes memory leak, AFAICT. Signed-off-by: Pavel Machek (CIP) <pavel@xxxxxxx> Best regards, Pavel diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c index eaf94b817dbc..2ac9d24d3f0c 100644 --- a/drivers/media/firewire/firedtv-fw.c +++ b/drivers/media/firewire/firedtv-fw.c @@ -271,8 +271,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) name_len = fw_csr_string(unit->directory, CSR_MODEL, name, sizeof(name)); - if (name_len < 0) - return name_len; + if (name_len < 0) { + err = name_len; + goto fail_free; + } for (i = ARRAY_SIZE(model_names); --i; ) if (strlen(model_names[i]) <= name_len && strncmp(name, model_names[i], name_len) == 0) -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Attachment:
signature.asc
Description: Digital signature