This patch changes the types of char buffer declarations
as well as passed-in parameters to u8 for the function
sisusb_write_mem_bulk and sisusb_send_bulk_msg to aviod
any related UB.
This patch also change the local buf[4] of sisusb_write_mem_bulk
to u8. This fixed an undefined behavior, since buf can be filled
with data from user space, thus can be negative given it's signed,
and its content is being left-shifted. Left-shifting a negative
value is undefined behavior. It's fixed by changing the buf from
char to u8.
Signed-off-by: Changming Liu <charley.ashbringer@xxxxxxxxx>
---
drivers/usb/misc/sisusbvga/sisusb.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/misc/sisusbvga/sisusb.c b/drivers/usb/misc/sisusbvga/sisusb.c
index fc8a5da..4aa717a 100644
--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -327,7 +327,7 @@ static int sisusb_bulkin_msg(struct sisusb_usb_data *sisusb,
*/
static int sisusb_send_bulk_msg(struct sisusb_usb_data *sisusb, int ep, int len,
- char *kernbuffer, const char __user *userbuffer, int index,
+ u8 *kernbuffer, const u8 __user *userbuffer, int index,
ssize_t *bytes_written, unsigned int tflags, int async)
{
int result = 0, retry, count = len;
@@ -543,7 +543,7 @@ static int sisusb_send_packet(struct sisusb_usb_data *sisusb, int len,
/* 1. send the packet */
ret = sisusb_send_bulk_msg(sisusb, SISUSB_EP_GFX_OUT, len,
- (char *)packet, NULL, 0, &bytes_transferred, 0, 0);
+ (u8 *)packet, NULL, 0, &bytes_transferred, 0, 0);
if ((ret == 0) && (len == 6)) {
@@ -579,7 +579,7 @@ static int sisusb_send_bridge_packet(struct sisusb_usb_data *sisusb, int len,
/* 1. send the packet */
ret = sisusb_send_bulk_msg(sisusb, SISUSB_EP_BRIDGE_OUT, len,
- (char *)packet, NULL, 0, &bytes_transferred, tflags, 0);
+ (u8 *)packet, NULL, 0, &bytes_transferred, tflags, 0);
if ((ret == 0) && (len == 6)) {
@@ -752,7 +752,7 @@ static int sisusb_write_memio_long(struct sisusb_usb_data *sisusb, int type,
*/
static int sisusb_write_mem_bulk(struct sisusb_usb_data *sisusb, u32 addr,
- char *kernbuffer, int length, const char __user *userbuffer,
+ u8 *kernbuffer, int length, const u8 __user *userbuffer,
int index, ssize_t *bytes_written)
{
struct sisusb_packet packet;
@@ -761,7 +761,7 @@ static int sisusb_write_mem_bulk(struct sisusb_usb_data *sisusb, u32 addr,
u8 swap8, fromkern = kernbuffer ? 1 : 0;
u16 swap16;
u32 swap32, flag = (length >> 28) & 1;
- char buf[4];
+ u8 buf[4];
/* if neither kernbuffer not userbuffer are given, assume
* data in obuf
@@ -2700,7 +2700,7 @@ static ssize_t sisusb_write(struct file *file, const char __user *buffer,
* mode or if YUV data is being transferred).
*/
errno = sisusb_write_mem_bulk(sisusb, address, NULL,
- count, buffer, 0, &bytes_written);
+ count, (u8 __user *)buffer, 0, &bytes_written);
if (bytes_written)
errno = bytes_written;
@@ -2718,7 +2718,7 @@ static ssize_t sisusb_write(struct file *file, const char __user *buffer,
* in advance.
*/
errno = sisusb_write_mem_bulk(sisusb, address, NULL,
- count, buffer, 0, &bytes_written);
+ count, (u8 __user *)buffer, 0, &bytes_written);
if (bytes_written)
errno = bytes_written;
--
2.7.4
