Re: [PATCH] staging: comedi: comedi_fops: fix possible overflow in do_chaninfo_ioctl()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 12, 2015 at 10:30:47AM -0700, H Hartley Sweeten wrote:
> @@ -1061,6 +1061,14 @@ static int do_chaninfo_ioctl(struct comedi_device *dev,
>  	if (it.maxdata_list) {
>  		if (s->maxdata || !s->maxdata_list)
>  			return -EINVAL;
> +		/*
> +		 * s->n_chan is usually <= 32 but _some_ comedi drivers
> +		 * do have more. Do a simple sanity check to make sure
> +		 * copy_to_user() does not overflow. In reality this
> +		 * should never fail...
> +		 */
> +		if (s->n_chan > (0xffffffff / sizeof(unsigned int)))
> +			return -EINVAL;
>  		if (copy_to_user(it.maxdata_list, s->maxdata_list,
>  				 s->n_chan * sizeof(unsigned int)))


This change doesn't make sense because an integer overflow here would be
basically harmless.  I don't like silencing false positives in this way.
It's better to ignore the warning.

The bounds err in ni6501_port_command() was a false positive too, but
the fix for that made to code more readable so it was a good thing.

regards,
dan carpenter

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel



[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux