This doesn't check the return from simple_write_to_buffer() to see how
many bytes were initialized. The only thing we can say for sure is that
the first byte is initialized.
There is no need to use the simple_write_to_buffer() function because
partial writes are not supported. Even if the user passes in a
different value for *ppos, we still use dummy = 0 as the starting point.
So replace the simple_write_to_buffer() with copy_from_user(). I
added a check for if (*ppos != 0) so that it's more clear that
partial writes are not supported.
Fixes: 5bc7f990cd98 ("bus: Add support for Moxtet bus")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
The simple_write_to_buffer() is not simple at all and creates a lot of
bugs, but the nice thing about it is that it takes "sizeof(hex)" as
an argument.
However, the "len > 2 * moxtet->count + 1" means that we can't overflow.
And if moxtet->count were wrong it would lead to issues later anyway.
drivers/bus/moxtet.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/bus/moxtet.c b/drivers/bus/moxtet.c
index 5eb0fe73ddc4..42453518400a 100644
--- a/drivers/bus/moxtet.c
+++ b/drivers/bus/moxtet.c
@@ -513,16 +513,16 @@ static ssize_t output_write(struct file *file, const char __user *buf,
struct moxtet *moxtet = file->private_data;
u8 bin[TURRIS_MOX_MAX_MODULES];
u8 hex[sizeof(bin) * 2 + 1];
- ssize_t res;
- loff_t dummy = 0;
int err, i;
+ if (*ppos != 0)
+ return -EINVAL;
+
if (len > 2 * moxtet->count + 1 || len < 2 * moxtet->count)
return -EINVAL;
- res = simple_write_to_buffer(hex, sizeof(hex), &dummy, buf, len);
- if (res < 0)
- return res;
+ if (copy_from_user(hex, buf, len))
+ return -EFAULT;
if (len % 2 == 1 && hex[len - 1] != '\n')
return -EINVAL;
--
2.39.2
