Hello Larry Finger,
The patch 5adef66acf73: "staging: r8188eu: Add files for new driver -
part 19" from Aug 21, 2013, leads to the following static checker
warning:
drivers/staging/rtl8188eu/os_dep/rtw_android.c:262 rtw_android_priv_cmd()
error: snprintf() is printing too much.
drivers/staging/rtl8188eu/os_dep/rtw_android.c
260 default:
261 DBG_88E("Unknown PRIVATE command %s - ignored\n", command);
262 snprintf(command, 3, "OK");
263 bytes_written = strlen("OK");
The size of the "command" buf is determined by the user so it's not
necessarily large enough to hold the "OK" string. My first instinct is
to just delete this code, but I wonder what would break if just returned
-ENOTTY or whatever?
TODO-list: 2014-07-14: r8188eu: fix memory corruption in rtw_android_priv_cmd()
264 }
265
266 response:
267 if (bytes_written >= 0) {
268 if ((bytes_written == 0) && (priv_cmd.total_len > 0))
269 command[0] = '\0';
270 if (bytes_written >= priv_cmd.total_len) {
271 DBG_88E("%s: bytes_written = %d\n", __func__,
272 bytes_written);
273 bytes_written = priv_cmd.total_len;
274 } else {
275 bytes_written++;
276 }
277 priv_cmd.used_len = bytes_written;
278 if (copy_to_user((char __user *)priv_cmd.buf, command,
279 bytes_written)) {
280 DBG_88E("%s: failed to copy data to user buffer\n",
281 __func__);
282 ret = -EFAULT;
283 }
284 } else {
285 ret = bytes_written;
286 }
287 exit:
288 kfree(command);
289 return ret;
290 }
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
