Re: [PATCH 1/4] Staging: most: fix bad min() casting

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Tue, 28 Jul 2015 18:44:09 +0300

On Tue, Jul 28, 2015 at 05:16:08PM +0200, Christian Gromm wrote:
> This patch fixes wrong casting. A high value of "len" is casted to
> negative and thus the minimum resulting in memory corruption.
> 

It can't actually though, because it's capped at a PAGE_SIZE, I think.
Pretty much all kernel read/write len parameters are capped to prevent
this type of error.

> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Signed-off-by: Christian Gromm <christian.gromm@xxxxxxxxxxxxx>
> ---
>  drivers/staging/most/mostcore/core.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/staging/most/mostcore/core.c b/drivers/staging/most/mostcore/core.c
> index f4f9034..d566d8e 100644
> --- a/drivers/staging/most/mostcore/core.c
> +++ b/drivers/staging/most/mostcore/core.c
> @@ -973,7 +973,7 @@ static ssize_t store_add_link(struct most_aim_obj *aim_obj,
>  	char *mdev_devnod;
>  	char devnod_buf[STRING_SIZE];
>  	int ret;
> -	unsigned int max_len = min((int)len + 1, STRING_SIZE);
> +	size_t max_len = min(len + 1, (size_t)STRING_SIZE);

Please use min_t().  I should have said earlier.

	unsigned int max_len = min_t(size_t, len + 1, STRING_SIZE);

regards,
dan carpenter

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel