On 08/07/2015 01:27 PM, Dan Carpenter wrote: > On Fri, Aug 07, 2015 at 01:59:40PM +0300, Daniel Baluta wrote: >>> 119 for (i = 0; i < num_read; i++) >>> 120 *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i); >>> ^^^^^^^^^^^^^^^ >>> >>> We're writing beyond the end of the array here because of the pointer >>> math issue. The fix is probably to say: >>> >>> for (i = 0; i < num_read / sizeof(u16); i++) >>> *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i); >>> >>> 121 >>> 122 if (copy_to_user(buf, rx, num_read)) >>> 123 ret = -EFAULT; >> >> Looks good to me. Please send a formal patch. > > It's weird that no one has noticed this bug in testing because we end > up corrupting memory every time this function is called. The buffers are probably smaller than the minimum allocation size so there is a bit of unused space after the buffer and overwriting it will not result in a corruption of used memory and nobody ever noticed. But in any way we should just drop the endianness conversion in kernelspace and advertise the data as big-endian to userspace. - Lars -- To unsubscribe from this list: send the line "unsubscribe linux-iio" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
