staging: comedi: don't dereference user memory for INSN_INTTRIG

commit 5d06e3df280bd230e2eadc16372e62818c63e894 upstream. `parse_insn()` is dereferencing the user-space pointer `insn->data` directly when handling the `INSN_INTTRIG` comedi instruction. It shouldn't be using `insn->data` at all; it should be using the separate `data` pointer passed to the function. Fix it. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Ian Abbott <abbotti@mev.co.uk> 2012-09-18 19:46:58 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2012-10-17 03:48:36 +0100
commit: 20a94a21d7cc392568e70c945983ecf5a79851ff (patch)
tree: fffb4a650751bcb9a739d2863d488bf3dcef765e /drivers/staging
parent: 3a5a8c3f40090ff66c7738e0ebff8d61a5a9b318 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 4ad2c0efc5c..c08c7190426 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -843,7 +843,7 @@ static int parse_insn(struct comedi_device *dev, struct comedi_insn *insn,
 				ret = -EAGAIN;
 				break;
 			}
-			ret = s->async->inttrig(dev, s, insn->data[0]);
+			ret = s->async->inttrig(dev, s, data[0]);
 			if (ret >= 0)
 				ret = 1;
 			break;
author	Ian Abbott <abbotti@mev.co.uk>	2012-09-18 19:46:58 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2012-10-17 03:48:36 +0100
commit	20a94a21d7cc392568e70c945983ecf5a79851ff (patch)
tree	fffb4a650751bcb9a739d2863d488bf3dcef765e /drivers/staging
parent	3a5a8c3f40090ff66c7738e0ebff8d61a5a9b318 (diff)