Re: [PATCH v2 03/17] iio: accel: mma9551_core: prevent buffer overrun

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jonathan Cameron <jic23@kernel.org>
To: Irina Tirdea <irina.tirdea@intel.com>,
	linux-iio@vger.kernel.org, Hartmut Knaack <knaack.h@gmx.de>
Cc: linux-kernel@vger.kernel.org, Vlad Dogaru <vlad.dogaru@intel.com>
Subject: Re: [PATCH v2 03/17] iio: accel: mma9551_core: prevent buffer overrun
Date: Sun, 26 Apr 2015 19:41:09 +0100	[thread overview]
Message-ID: <553D3145.8080707@kernel.org> (raw)
In-Reply-To: <1428939664-12503-4-git-send-email-irina.tirdea@intel.com>

On 13/04/15 16:40, Irina Tirdea wrote:
> The mma9551 functions that read/write word arrays from the
> device have a limit for the buffer size given by the device
> specifications.
> 
> Check that the requested buffer length is within required limits
> when transferring word arrays. This will prevent buffer overrun
> in the mma9551_read/write_*_words functions and also in the
> mma9551_transfer call when writing into the MBOX response/request
> structure.
> 
> Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
> Reported-by: Hartmut Knaack <knaack.h@gmx.de>
Applied to the fixes-togreg branch of iio.git

Thanks,

Jonathan
> ---
>  drivers/iio/accel/mma9551_core.c | 21 ++++++++++++++++++---
>  1 file changed, 18 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c
> index 7f55a6d..c6d5a3a 100644
> --- a/drivers/iio/accel/mma9551_core.c
> +++ b/drivers/iio/accel/mma9551_core.c
> @@ -389,7 +389,12 @@ int mma9551_read_config_words(struct i2c_client *client, u8 app_id,
>  {
>  	int ret, i;
>  	int len_words = len / sizeof(u16);
> -	__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS];
> +	__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS / 2];
> +
> +	if (len_words > ARRAY_SIZE(be_buf)) {
> +		dev_err(&client->dev, "Invalid buffer size %d\n", len);
> +		return -EINVAL;
> +	}
>  
>  	ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_CONFIG,
>  			       reg, NULL, 0, (u8 *) be_buf, len);
> @@ -424,7 +429,12 @@ int mma9551_read_status_words(struct i2c_client *client, u8 app_id,
>  {
>  	int ret, i;
>  	int len_words = len / sizeof(u16);
> -	__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS];
> +	__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS / 2];
> +
> +	if (len_words > ARRAY_SIZE(be_buf)) {
> +		dev_err(&client->dev, "Invalid buffer size %d\n", len);
> +		return -EINVAL;
> +	}
>  
>  	ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_STATUS,
>  			       reg, NULL, 0, (u8 *) be_buf, len);
> @@ -459,7 +469,12 @@ int mma9551_write_config_words(struct i2c_client *client, u8 app_id,
>  {
>  	int i;
>  	int len_words = len / sizeof(u16);
> -	__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS];
> +	__be16 be_buf[(MMA9551_MAX_MAILBOX_DATA_REGS - 1) / 2];
> +
> +	if (len_words > ARRAY_SIZE(be_buf)) {
> +		dev_err(&client->dev, "Invalid buffer size %d\n", len);
> +		return -EINVAL;
> +	}
>  
>  	for (i = 0; i < len_words; i++)
>  		be_buf[i] = cpu_to_be16(buf[i]);
>

next prev parent reply	other threads:[~2015-04-26 18:41 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-13 15:40 [PATCH v2 00/17] Fixes for the mma9553 driver Irina Tirdea
2015-04-13 15:40 ` [PATCH v2 01/17] iio: accel: mma9553: fix endianness issue when reading status Irina Tirdea
2015-04-26 18:40   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 02/17] iio: accel: mma9553: check input value for activity period Irina Tirdea
2015-04-26 18:43   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 03/17] iio: accel: mma9551_core: prevent buffer overrun Irina Tirdea
2015-04-26 18:41   ` Jonathan Cameron [this message]
2015-04-13 15:40 ` [PATCH v2 04/17] iio: accel: mma9553: add enable channel for activity Irina Tirdea
2015-04-26 18:42   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 05/17] iio: accel: mma9551_core: wrong doc fixes Irina Tirdea
2015-04-26 18:45   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 06/17] iio: accel: mma9551_core: typo fix in RSC APP ID Irina Tirdea
2015-04-26 18:46   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 07/17] iio: accel: mma9553: check for error in reading initial activity and stepcnt Irina Tirdea
2015-04-26 18:47   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 08/17] iio: accel: mma9553: return 0 as indication of success Irina Tirdea
2015-04-13 15:40 ` [PATCH v2 09/17] iio: accel: mma9553: comment and error message fixes Irina Tirdea
2015-04-26 18:48   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 10/17] iio: accel: mma9553: use GENMASK Irina Tirdea
2015-04-26 18:49   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 11/17] iio: accel: mma9553: prefix naming fixes Irina Tirdea
2015-04-26 18:49   ` Jonathan Cameron
2015-04-13 15:40 ` [PATCH v2 12/17] iio: accel: mma9553: fix gpio bitnum init value Irina Tirdea
2015-04-26 18:53   ` Jonathan Cameron
2015-04-13 15:41 ` [PATCH v2 13/17] iio: accel: mma9553: refactor mma9553_read_raw Irina Tirdea
2015-04-26 18:53   ` Jonathan Cameron
2015-04-13 15:41 ` [PATCH v2 14/17] iio: accel: mma9551_core: use size in words for word buffers Irina Tirdea
2015-04-26 19:04   ` Jonathan Cameron
2015-04-29 12:20     ` Tirdea, Irina
2015-04-29 12:20       ` Tirdea, Irina
2015-06-14 15:00       ` Jonathan Cameron
2015-06-23 14:17         ` Tirdea, Irina
2015-06-23 14:17           ` Tirdea, Irina
2015-04-13 15:41 ` [PATCH v2 15/17] iio: accel: mma9553: fix alignment issues Irina Tirdea
2015-06-14 15:01   ` Jonathan Cameron
2015-04-13 15:41 ` [PATCH v2 16/17] iio: accel: mma9553: document use of mutex Irina Tirdea
2015-06-14 15:02   ` Jonathan Cameron
2015-04-13 15:41 ` [PATCH v2 17/17] iio: accel: mma9553: use unsigned counters Irina Tirdea
2015-06-14 15:04   ` Jonathan Cameron
2015-06-23 14:17     ` Tirdea, Irina
2015-06-23 14:17       ` Tirdea, Irina
2015-04-26 21:50 ` [PATCH v2 00/17] Fixes for the mma9553 driver Hartmut Knaack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=553D3145.8080707@kernel.org \
    --to=jic23@kernel.org \
    --cc=irina.tirdea@intel.com \
    --cc=knaack.h@gmx.de \
    --cc=linux-iio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=vlad.dogaru@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.