On Tue March 26 2013 08:35:57 Dan Carpenter wrote: > On Tue, Mar 26, 2013 at 10:04:15AM +0300, Dan Carpenter wrote: > > On Tue, Mar 26, 2013 at 02:42:47PM +0800, Wei Yongjun wrote: > > > From: Wei Yongjun <yongjun_wei@xxxxxxxxxxxxxxxxx> > > > > > > sizeof() when applied to a pointer typed expression gives the > > > size of the pointer, not that of the pointed data. > > > > > > > This fix isn't right. "buf" is a char pointer. I don't know what > > this code is doing. Instead of sizeof(*buf) it should be something > > like "buflen", "msg[i].len", "msg[i].len + 1" or "msg[i].len + 3". > > It should be "msg[i].len + 1", I think. Yes, that's correct. 'buf' used to be a local array, so the memset was fine. I changed it to an array that was kmalloc()ed but forgot about the memset. I never noticed the bug because the sizeof the message is typically quite small, certainly smaller than sizeof(pointer) on a 64-bit system. Wei Yongjun, can you post a new patch fixing this? Thanks, Hans > > On the line before it writes buflen bytes to the hardware. Then > it clears the transfer buffer and reads "msg[i].len + 1" bytes from > the hardware. Then it saves the memory, except for the first byte, > in msg[i].buf. > > So it should clear "msg[i].len + 1" bytes so that the old data isn't > confused with the data that we read from the hardware. > > regards, > dan carpenter > > -- > To unsubscribe from this list: send the line "unsubscribe linux-media" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
