usb_blk_msg() will return the passed 'len' (64) as the 'actual_len' (cnt) of the transfer. The addition of the '\0' to the end of the returned string will overrun the 'rx' array. Increase the array size by 1 to fix the out-of-bounds write. Reported-by: coverity (CID 711413) Signed-off-by: H Hartley Sweeten <hsweeten@xxxxxxxxxxxxxxxxxxx> Cc: Ian Abbott <abbotti@xxxxxxxxx> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/staging/comedi/drivers/vmk80xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c index e371183..e0656d1 100644 --- a/drivers/staging/comedi/drivers/vmk80xx.c +++ b/drivers/staging/comedi/drivers/vmk80xx.c @@ -195,7 +195,7 @@ static void vmk80xx_read_eeprom(struct comedi_device *dev, int flag) unsigned int tx_pipe; unsigned int rx_pipe; unsigned char tx[1]; - unsigned char rx[64]; + unsigned char rx[65]; int cnt; tx_pipe = usb_sndbulkpipe(usb, 0x01); -- 2.3.0 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
