Re: [REVIEW REQUEST] staging: unisys: review request for visorbus

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



drivers/staging/unisys/visorbus/visorchipset.c
   588  static void *parser_name_get(struct parser_context *ctx)
   589  {
   590          struct visor_controlvm_parameters_header *phdr;
   591  
   592          phdr = &ctx->data;
   593          if (phdr->name_offset + phdr->name_length > ctx->param_bytes)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I am just reviewing quickly.  This looks like a potential integer
overflow if phdr->name_offset is UINT_MAX?

   594                  return NULL;
   595          ctx->curr = (char *)&phdr + phdr->name_offset;
   596          ctx->bytes_remaining = phdr->name_length;
   597          return parser_string_get(ctx->curr, phdr->name_length);
   598  }

drivers/staging/unisys/visorbus/visorchipset.c
  1317  static struct parser_context *parser_init_stream(u64 addr, u32 bytes,
  1318                                                   bool *retry)
  1319  {
  1320          int allocbytes;
  1321          struct parser_context *ctx;
  1322          void *mapping;
  1323  
  1324          *retry = false;
  1325          /* alloc an extra byte to ensure payload is \0 terminated */
  1326          allocbytes = bytes + 1 + (sizeof(struct parser_context) -
  1327                       sizeof(struct visor_controlvm_parameters_header));
  1328          if ((chipset_dev->controlvm_payload_bytes_buffered + bytes) >

Same question.  Can this or the allocbytes calculation have an integer
overflow?

  1329               MAX_CONTROLVM_PAYLOAD_BYTES) {
  1330                  *retry = true;
  1331                  return NULL;
  1332          }
  1333          ctx = kzalloc(allocbytes, GFP_KERNEL);
  1334          if (!ctx) {
  1335                  *retry = true;
  1336                  return NULL;
  1337          }
  1338          ctx->allocbytes = allocbytes;
  1339          ctx->param_bytes = bytes;

Otherwise the code looks pretty clean to me.

regards,
dan carpenter

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel



[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux