Hello!
There is a bug in driver.c of not freeing memory on error
paths. buf.pointer is allocated but not freed if copy_to_user fails. The
addition I made was to kfree buf.pointer before returning -EFAULT. Thanks!
Philip
--- /2.4.4/linux/drivers/acpi/driver.c Fri Feb 9 11:45:58 2001
+++ driver.c Mon May 21 19:21:14 2001
@@ -311,8 +311,10 @@
size = buf.length - file->f_pos;
if (size > *len)
size = *len;
- if (copy_to_user(buffer, data, size))
- return -EFAULT;
+ if (copy_to_user(buffer, data, size)) {
+ kfree(buf.pointer);
+ return -EFAULT;
+ }
}
kfree(buf.pointer);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
