I'm Philip, from Professor Dawson Engler's Meta-Compilation Group at
Stanford University.
There is a bug in mtdchar.c of not freeing memory on error paths. databuf
is allocated but not freed if copy_from_user fails. The addition I made
was to kfree databuf before returning -EFAULT. Thanks!
Warmly,
Philip
linux/2.4.4/drivers/mtd/mtdchar.c Fri Feb 9 11:30:23 2001
+++ mtdchar.c Mon May 21 13:33:02 2001
@@ -310,9 +310,10 @@
if (!databuf)
return -ENOMEM;
- if (copy_from_user(databuf, buf.ptr, buf.length))
- return -EFAULT;
-
+ if (copy_from_user(databuf, buf.ptr, buf.length)) {
+ kfree(databuf);
+ return -EFAULT;
+ }
ret = (mtd->write_oob)(mtd, buf.start, buf.length, &retlen,
databuf);
if (copy_to_user((void *)arg + sizeof(loff_t), &retlen,
sizeof(ssize_t)))
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/