Hi,
A guy posted this fix on my blog. I couldn't make sense of it.
Thought I'd post it here. I'll send a proper patch file if
I knew what commit log I needed to write.
And I can't exactly sign-off :s.
I asked him to post but he couldn't/wouldn't.
Regards
ZubairLK
"Defend against buffer overflow of ci_array:
code always overwrites one entry beyond end of array, now fixed
--Craig Markwardt"
iio_utils.h
@@ -335,6 +335,7 @@ inline int build_channel_array(const char *device_dir,
while (ent = readdir(dp), ent != NULL) {
if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"),
"_en") == 0) {
+ int current_enabled = 0;
current = &(*ci_array)[count++];
ret = asprintf(&filename,
"%s/%s", scan_el_dir, ent->d_name);
if (ret < 0) {
ret = -ENOMEM;
/* decrement count to avoid freeing name */
count--;
goto error_cleanup_array;
}
sysfsfp = fopen(filename, "r");
if (sysfsfp == NULL) {
free(filename);
ret = -errno;
goto error_cleanup_array;
}
- fscanf(sysfsfp, "%u", ¤t->enabled);
+ fscanf(sysfsfp, "%u", ¤t_enabled);
fclose(sysfsfp);
- if (!current->enabled) {
+ if (!current_enabled) {
free(filename);
count--;
continue;
}
+ current->enabled = current_enabled;
current->scale = 1.0;
current->offset = 0;
current->name = strndup(ent->d_name,
--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
