Hi! > > > commit e7b931bee739e8a77ae216e613d3b99342b6dec0 upstream. > > > > > > The driver would happily overwrite its write buffer with user data in > > > 256 byte increments due to a removed buffer-space sanity check. > > > > > +++ b/drivers/usb/serial/iuu_phoenix.c > > > @@ -697,14 +697,16 @@ static int iuu_uart_write(struct tty_str > > > struct iuu_private *priv = usb_get_serial_port_data(port); > > > unsigned long flags; > > > > > > - if (count > 256) > > > - return -ENOMEM; > > > - > > > spin_lock_irqsave(&priv->lock, flags); > > > > > > + count = min(count, 256 - priv->writelen); > > > + if (count == 0) > > > + goto out; > > > + > > > /* fill the buffer */ > > > memcpy(priv->writebuf + priv->writelen, buf, count); > > > priv->writelen += count; > > > +out: > > > spin_unlock_irqrestore(&priv->lock, flags); > > > > > > return count; > > > > Ok, so... goto and label is unneccessary, memcpy will do the right > > thing with count == 0. > > That's generally too subtle. Better to clearly mark the error/exception > path. We usually avoid subtle code by introducing comments, not by introducing extra (and confusing) code that can not be optimized out. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: PGP signature