Re: There is a potential buffer overflow issue in bmi323

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/09/24 11:50, Qianqiang Liu wrote:
> Hi,
> 
> I reviewed the following code in drivers/iio/imu/bmi323/bmi323_core.c:
> 
> 2245         for (unsigned int i = 0; i < ARRAY_SIZE(bmi323_ext_reg_savestate); i++) { <-
> 2246                 ret = bmi323_write_ext_reg(data, bmi323_reg_savestate[i], <-
> 2247						savestate->reg_settings[i]);
> 2248                 if (ret) {
> 2249                         dev_err(data->dev,
> 2250                                 "Error writing bmi323 external reg 0x%x: %d\n",
> 2251                                 bmi323_reg_savestate[i], ret);
> 2252                         return ret;
> 2253                 }
> 2254         }
> 
> The array size of the "bmi323_ext_reg_savestate" is twelve, and the
> array size of "bmi323_reg_savestate" is nine.
> 
> Is it possible that "bmi323_reg_savestate" may have buffer overflow
> issue?
> 
Hi,

You are very right and that is copy/paste mistake that was not flagged as a warning by gcc.
Thanks for letting me know!

There is currently a fix already sent for review here:
https://lore.kernel.org/all/20240909-iio-bmi323-fix-array-ref-v1-1-51c220f22229@xxxxxxxxxx


Best regards,
Denis Benato




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Input]     [Linux Kernel]     [Linux SCSI]     [X.org]

  Powered by Linux