firewire: core: fix use-after-free regression in FCP handler (281e2032) · Commits · android / goshawk_kernel_oplus_sdm710 · GitLab

Commit 281e2032 authored Jan 24, 2010 by Stefan Richter

firewire: core: fix use-after-free regression in FCP handler



Commit db5d247a "firewire: fix use of multiple AV/C devices, allow
multiple FCP listeners" introduced a regression into 2.6.33-rc3:
The core freed payloads of incoming requests to FCP_Request or
FCP_Response before a userspace driver accessed them.

We need to copy such payloads for each registered userspace client
and free the copies according to the lifetime rules of non-FCP client
request resources.

(This could possibly be optimized by reference counts instead of
copies.)

The presently only kernelspace driver which listens for FCP requests,
firedtv, was not affected because it already copies FCP frames into an
own buffer before returning to firewire-core's FCP handler dispatcher.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

parent 6d3faf6f

Hide whitespace changes

Inline Side-by-side

peturbg @peturbg
mentioned in commit 38ec26a4
· Apr 01, 2023

mentioned in commit 38ec26a4

mentioned in commit 38ec26a47a37292c21d46c29b9acbb6fdaf130a4

Toggle commit list
peturbg @peturbg
mentioned in commit 940da0ed
· Apr 04, 2023

mentioned in commit 940da0ed

mentioned in commit 940da0ed5c1f2241c49b8b47725b750e87632b80

Toggle commit list

Please register or to comment