On Fri, Aug 07, 2015 at 01:59:40PM +0300, Daniel Baluta wrote: > > 119 for (i = 0; i < num_read; i++) > > 120 *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i); > > ^^^^^^^^^^^^^^^ > > > > We're writing beyond the end of the array here because of the pointer > > math issue. The fix is probably to say: > > > > for (i = 0; i < num_read / sizeof(u16); i++) > > *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i); > > > > 121 > > 122 if (copy_to_user(buf, rx, num_read)) > > 123 ret = -EFAULT; > > Looks good to me. Please send a formal patch. It's weird that no one has noticed this bug in testing because we end up corrupting memory every time this function is called. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-iio" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
