From: David M. <da...@da...> - 2016-08-13 22:09:42
|
From: Vegard Nossum <veg...@or...> Date: Fri, 12 Aug 2016 10:29:13 +0200 > If iriap_register_lsap() fails to allocate memory, self->lsap is > set to NULL. However, none of the callers handle the failure and > irlmp_connect_request() will happily dereference it: ... > The bug seems to have been around since forever. > > There's more problems with missing error checks in iriap_init() (and > indeed all of irda_init()), but that's a bigger problem that needs > very careful review and testing. This patch will fix the most serious > bug (as it's easily reached from unprivileged userspace). > > I have tested my patch with a reproducer. > > Signed-off-by: Vegard Nossum <veg...@or...> Applied. |