On Wed, Aug 12, 2015 at 10:30:47AM -0700, H Hartley Sweeten wrote: > @@ -1061,6 +1061,14 @@ static int do_chaninfo_ioctl(struct comedi_device *dev, > if (it.maxdata_list) { > if (s->maxdata || !s->maxdata_list) > return -EINVAL; > + /* > + * s->n_chan is usually <= 32 but _some_ comedi drivers > + * do have more. Do a simple sanity check to make sure > + * copy_to_user() does not overflow. In reality this > + * should never fail... > + */ > + if (s->n_chan > (0xffffffff / sizeof(unsigned int))) > + return -EINVAL; > if (copy_to_user(it.maxdata_list, s->maxdata_list, > s->n_chan * sizeof(unsigned int))) This change doesn't make sense because an integer overflow here would be basically harmless. I don't like silencing false positives in this way. It's better to ignore the warning. The bounds err in ni6501_port_command() was a false positive too, but the fix for that made to code more readable so it was a good thing. regards, dan carpenter _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel