commit 786dc1d3d7333f269e17d742886eac2188a2d9cc
author Philippe Retornaz <couriousous@mandriva.org> Thu Jun 01 20:48:46 2006 -0700
committer Greg Kroah-Hartman <gregkh@suse.de> Wed Jun 21 15:04:15 2006 -0700
tree c2c3f14b485fd2fd9bf41ba2a7dada7486ee4c49
parent 6ad07129a8ed2e13dcd7e6313c201c32bcf7cc32

[PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer

See http://bugzilla.kernel.org/show_bug.cgi?id=6617.

This function dereference a __user pointer.

Signed-off-by: Philippe Retornaz <couriousous@mandriva.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/usb/core/devio.c

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index df3fb57..2eda52f 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1078,7 +1078,9 @@
 	if (copy_from_user(&uurb, arg, sizeof(uurb)))
 		return -EFAULT;
 
-	return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg);
+	return proc_do_submiturb(ps, &uurb,
+		(struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
+		arg);
 }
 
 static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
@@ -1203,7 +1205,9 @@
 	if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg))
 		return -EFAULT;
 
-	return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg);
+	return proc_do_submiturb(ps, &uurb,
+		(struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
+		arg);
 }
 
 static int processcompl_compat(struct async *as, void __user * __user *arg)