Re: [PATCH 1/2] iio: fix possible buffer overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/05/14 23:40, Alexandre Belloni wrote:
Found using smatch:
drivers/iio/industrialio-core.c:719 iio_device_add_info_mask_type() error:
buffer overflow 'iio_chan_info_postfix' 17 <= 63

It was probably never hit because the info_mask_* members are filled by using
the BIT() macro with values from the iio_chan_info_enum enum that also serve as
the index of the iio_chan_info_postfix array.

Signed-off-by: Alexandre Belloni <alexandre.belloni@xxxxxxxxxxxxxxxxxx>
See
ef4b4856593fc3d9d169bededdaf7acf62f83a52
iio:core: Fix bug in length of event info_mask and catch unhandled bits set in masks.

Which fixes the same issue in a slightly different way.

Pretty recent patch though and this was there for ages before that.
Better to have two fixes than none.

Thanks,

J
---
  drivers/iio/industrialio-core.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index ede16aec20fb..5e7a67e53879 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -715,7 +715,8 @@ static int iio_device_add_info_mask_type(struct iio_dev *indio_dev,
  {
  	int i, ret, attrcount = 0;

-	for_each_set_bit(i, infomask, sizeof(infomask)*8) {
+	for_each_set_bit(i, infomask, min(sizeof(infomask)*8,
+					  ARRAY_SIZE(iio_chan_info_postfix))) {
  		ret = __iio_add_chan_devattr(iio_chan_info_postfix[i],
  					     chan,
  					     &iio_read_channel_info,


--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Input]     [Linux Kernel]     [Linux SCSI]     [X.org]

  Powered by Linux