The "buf" variable has "len" bytes, and the size is controlled by the user in cm_chan_msg_send(). If the length is fewer than sizeof(*hdr) then it could lead to memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- Strictly speaking the last two bytes of length are reserved and not written to but it's simpler and better to check "< sizeof(*hdr)" instead of "< sizeof(*hdr) - 2". This is better for future proofing. drivers/rapidio/rio_cm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/rapidio/rio_cm.c b/drivers/rapidio/rio_cm.c index db4c265287ae..5c332b9867e1 100644 --- a/drivers/rapidio/rio_cm.c +++ b/drivers/rapidio/rio_cm.c @@ -784,7 +784,8 @@ static int riocm_ch_send(u16 ch_id, void *buf, int len) struct rio_ch_chan_hdr *hdr; int ret; - if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE) + if (buf == NULL || ch_id == 0 || + len < sizeof(*hdr) || len > RIO_MAX_MSG_SIZE) return -EINVAL; ch = riocm_get_channel(ch_id); -- 2.30.2
