Dan Carpenter <[email protected]> writes: > On Tue, May 05, 2015 at 06:36:56PM -0400, Benjamin Romer wrote: >> From: Jes Sorensen <[email protected]> >> >> Signed-off-by: Jes Sorensen <[email protected]> >> Signed-off-by: Benjamin Romer <[email protected]> >> --- >> drivers/staging/unisys/visorbus/visorchannel.c | 9 ++++++--- >> 1 file changed, 6 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/staging/unisys/visorbus/visorchannel.c >> b/drivers/staging/unisys/visorbus/visorchannel.c >> index cae62fed..da7bd9c 100644 >> --- a/drivers/staging/unisys/visorbus/visorchannel.c >> +++ b/drivers/staging/unisys/visorbus/visorchannel.c >> @@ -213,13 +213,16 @@ int >> visorchannel_write(struct visorchannel *channel, ulong offset, >> void *local, ulong nbytes) >> { >> - size_t size = sizeof(struct channel_header); >> + size_t chdr_size = sizeof(struct channel_header); >> + size_t copy_size; >> >> if (offset + nbytes > channel->memregion.nbytes) >> return -EIO; >> >> - if (!offset && nbytes >= size) >> - memcpy(&channel->chan_hdr, local, size); >> + if (offset < chdr_size) { >> + copy_size = min(chdr_size, nbytes) - offset; >> + memcpy(&channel->chan_hdr + offset, local, copy_size); > > You get memory corrution if nbytes is less than offset and chdr_size. > > My reading was that in the original code this memcpy() was dead code but > I could have been wrong.
Good point - the call path is not currently used, but we should fix the check. I'd prefer to add this in a follow-on patch, if you have no objection? Cheers, Jes _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
