This is a privileged operation so it doesn't matter much. We use "tmp" as an offset into an array. If it were invalid we could read out of bounds and trigger an oops if the memory is not mapped. Plus it makes static checkers complain. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- This changes the behavior a little bit because in the original we could give slightly invalid "len" values and the function would still work... Please review it extra carefully to make sure it doesn't break userspace. diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c index 1173f9c..0a866e9 100644 --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c @@ -476,6 +476,8 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev, return -EINVAL; if (index < 0 || index > 0x7f) return -EINVAL; + if (tmp < 0 || tmp > len - pos) + return -EINVAL; pos += tmp; /* skip trailing newline */ -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
