On Fri, Mar 07, 2014 at 07:10:57AM -0600, Ken Cox wrote:
> A character array was declared on the stack with variable length. This has
> been corrected to use a fixed length.
>
> Reported-by: Dan Carpenter <[email protected]>
> Signed-off-by: Ken Cox <[email protected]>
> ---
> drivers/staging/unisys/virthba/virthba.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/unisys/virthba/virthba.c
> b/drivers/staging/unisys/virthba/virthba.c
> index c292293..3820c57 100644
> --- a/drivers/staging/unisys/virthba/virthba.c
> +++ b/drivers/staging/unisys/virthba/virthba.c
> @@ -1439,12 +1439,17 @@ static ssize_t
> enable_ints_write(struct file *file, const char __user *buffer,
> size_t count, loff_t *ppos)
> {
> - char buf[count + 1];
> + char buf[4];
> int i, new_value;
> struct virthba_info *virthbainfo;
> U64 *Features_addr;
> U64 mask;
>
> + if (count > 2) {
2 seems wrong. It should be something related to buf. Anyway please
write it like this:
if (count >= ARRAY_SIZE(buf)) {
> + LOGERR("invalid count<<%lu>>\n", count);
> + return -EINVAL;
> + }
> +
> buf[count] = '\0';
> if (copy_from_user(buf, buffer, count)) {
> LOGERR("copy_from_user failed. buf<<%.*s>> count<<%lu>>\n",
regards,
dan carpenter
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
