staging: usbip: fix potential segfault because of unchecked return value of strchr.

This doesn't happen with the usbip virtual hci module, but another
module wanting to interface with this user space code could cause a
seg-fault by sending data without newlines.

Signed-off-by: Christopher Harvey <charvey@matrox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
index 2697877..0958ba5 100644 (file)
--- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
+++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
@@ -59,7 +59,10 @@ static int parse_status(char *value)
 
 
        /* skip a header line */
-       c = strchr(value, '\n') + 1;
+       c = strchr(value, '\n');
+       if (!c)
+               return -1;
+       c++;
 
        while (*c != '\0') {
                int port, status, speed, devid;
@@ -109,7 +112,10 @@ static int parse_status(char *value)
 
 
                /* go to the next line */
-               c = strchr(c, '\n') + 1;
+               c = strchr(c, '\n');
+               if (!c)
+                       break;
+               c++;
        }
 
        dbg("exit");
@@ -264,11 +270,17 @@ static int get_nports(void)
            attr_status->method, attr_status->value);
 
        /* skip a header line */
-       c = strchr(attr_status->value, '\n') + 1;
+       c = strchr(attr_status->value, '\n');
+       if (!c)
+               return 0;
+       c++;
 
        while (*c != '\0') {
                /* go to the next line */
-               c = strchr(c, '\n') + 1;
+               c = strchr(c, '\n');
+               if (!c)
+                       return nports;
+               c++;
                nports += 1;
        }