From 860eb4ab48edb1277b8ca95ace034b1a2581f98d Mon Sep 17 00:00:00 2001 From: Shaun Ruffell Date: Tue, 14 Jan 2014 15:13:28 -0600 Subject: [PATCH] dahdi: Do not access invalid memory if invalid local span number is passed to spantype attribute. This fixes potential kernel panic due to accessing invalid memory if passing invalid local span number to 'spantype' attribute via sysfs. Signed-off-by: Shaun Ruffell --- drivers/dahdi/dahdi-sysfs.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/drivers/dahdi/dahdi-sysfs.c b/drivers/dahdi/dahdi-sysfs.c index 322a496..fea0cc1 100644 --- a/drivers/dahdi/dahdi-sysfs.c +++ b/drivers/dahdi/dahdi-sysfs.c @@ -629,7 +629,8 @@ dahdi_spantype_store(struct device *dev, struct device_attribute *attr, { struct dahdi_device *const ddev = to_ddev(dev); int ret; - struct dahdi_span *span; + struct dahdi_span *span = NULL; + struct dahdi_span *cur; unsigned int local_span_number; char spantype_name[80]; enum spantypes spantype; @@ -645,9 +646,18 @@ dahdi_spantype_store(struct device *dev, struct device_attribute *attr, return -EINVAL; } - list_for_each_entry(span, &ddev->spans, device_node) { - if (local_spanno(span) == local_span_number) + list_for_each_entry(cur, &ddev->spans, device_node) { + if (local_spanno(cur) == local_span_number) { + span = cur; break; + } + } + + if (!span || (local_spanno(span) != local_span_number)) { + module_printk(KERN_WARNING, + "%d is not a valid local span number " + "for this device.\n", local_span_number); + return -EINVAL; } if (test_bit(DAHDI_FLAGBIT_REGISTERED, &span->flags)) { @@ -656,12 +666,6 @@ dahdi_spantype_store(struct device *dev, struct device_attribute *attr, return -EINVAL; } - if (local_spanno(span) != local_span_number) { - module_printk(KERN_WARNING, - "%d is not a valid local span number " - "for this device.\n", local_span_number); - return -EINVAL; - } if (!span->ops->set_spantype) { module_printk(KERN_WARNING, "Span %s does not support "