[PATCH] drivers/mtd/mtdchar.c

[PATCH] drivers/mtd/mtdchar.c

[Philip Wang]

Hello!

I'm Philip, from Professor Dawson Engler's Meta-Compilation Group at 
Stanford University.

There is a bug in mtdchar.c of not freeing memory on error paths.  databuf 
is allocated but not freed if copy_from_user fails.  The addition I made 
was to kfree databuf before returning -EFAULT.  Thanks!

Warmly,

Philip

linux/2.4.4/drivers/mtd/mtdchar.c Fri Feb 9 11:30:23 2001
+++ mtdchar.c Mon May 21 13:33:02 2001
@@ -310,9 +310,10 @@
if (!databuf)
return -ENOMEM;

- if (copy_from_user(databuf, buf.ptr, buf.length))
- return -EFAULT;
-
+ if (copy_from_user(databuf, buf.ptr, buf.length)) {
+ kfree(databuf);
+ return -EFAULT;
+ }
ret = (mtd->write_oob)(mtd, buf.start, buf.length, &retlen,
databuf);

if (copy_to_user((void *)arg + sizeof(loff_t), &retlen,
sizeof(ssize_t)))

Re: [PATCH] drivers/mtd/mtdchar.c

[David Woodhouse]

PXWang@stanford.edu said:
>  There is a bug in mtdchar.c of not freeing memory on error paths.
> databuf  is allocated but not freed if copy_from_user fails.  The
> addition I made  was to kfree databuf before returning -EFAULT.
> Thanks!

Thankyou. I've now committed the fix to my tree and it'll be in the next 
merge with Linus, which should hopefully happen quite soon.

--
dwmw2