Dan Carpenter <dan.carpenter@xxxxxxxxxx> writes:
> On Tue, May 05, 2015 at 06:36:56PM -0400, Benjamin Romer wrote:
>> From: Jes Sorensen <Jes.Sorensen@xxxxxxxxxx>
>>
>> Signed-off-by: Jes Sorensen <Jes.Sorensen@xxxxxxxxxx>
>> Signed-off-by: Benjamin Romer <benjamin.romer@xxxxxxxxxx>
>> ---
>> drivers/staging/unisys/visorbus/visorchannel.c | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c
>> index cae62fed..da7bd9c 100644
>> --- a/drivers/staging/unisys/visorbus/visorchannel.c
>> +++ b/drivers/staging/unisys/visorbus/visorchannel.c
>> @@ -213,13 +213,16 @@ int
>> visorchannel_write(struct visorchannel *channel, ulong offset,
>> void *local, ulong nbytes)
>> {
>> - size_t size = sizeof(struct channel_header);
>> + size_t chdr_size = sizeof(struct channel_header);
>> + size_t copy_size;
>>
>> if (offset + nbytes > channel->memregion.nbytes)
>> return -EIO;
>>
>> - if (!offset && nbytes >= size)
>> - memcpy(&channel->chan_hdr, local, size);
>> + if (offset < chdr_size) {
>> + copy_size = min(chdr_size, nbytes) - offset;
>> + memcpy(&channel->chan_hdr + offset, local, copy_size);
>
> You get memory corrution if nbytes is less than offset and chdr_size.
>
> My reading was that in the original code this memcpy() was dead code but
> I could have been wrong.
Good point - the call path is not currently used, but we should fix the
check.
I'd prefer to add this in a follow-on patch, if you have no objection?
Cheers,
Jes
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
