From: Dan Carpenter <error27@gmail.com>
To: "Nuno Sá" <nuno.sa@analog.com>
Cc: linux-iio@vger.kernel.org
Subject: [bug report] iio: backend: make sure to NULL terminate stack buffer
Date: Fri, 8 May 2026 12:16:59 +0300 [thread overview]
Message-ID: <af2qC62lFZMgu7Oq@stanley.mountain> (raw)
Hello Nuno Sá,
Commit 035b4989211d ("iio: backend: make sure to NULL terminate stack
buffer") from Feb 18, 2025 (linux-next), leads to the following
Smatch static checker warning:
drivers/iio/industrialio-backend.c:162 iio_backend_debugfs_write_reg()
warn: 'rc' not checked for partial writes
drivers/iio/industrialio-backend.c
149 static ssize_t iio_backend_debugfs_write_reg(struct file *file,
150 const char __user *userbuf,
151 size_t count, loff_t *ppos)
152 {
153 struct iio_backend *back = file->private_data;
154 unsigned int val;
155 char buf[80];
156 ssize_t rc;
157 int ret;
158
159 if (count >= sizeof(buf))
160 return -ENOSPC;
161
--> 162 rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
163 if (rc < 0)
164 return rc;
165
166 buf[rc] = '\0';
If *ppos is not zero, then the first bytes of buf[] are uninitialized.
The simple_write_to_buffer() function is badly named. It should really
only be used in situations where it makes sense to split the a big write
into multiple writes. This should instead just be:
if (copy_from_user(buf, userbuf, count))
return -EFAULT;
buf[count] = '\0';
167
168 ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);
169
170 switch (ret) {
171 case 1:
172 return count;
173 case 2:
174 ret = iio_backend_op_call(back, debugfs_reg_access,
175 back->cached_reg_addr, val, NULL);
176 if (ret)
177 return ret;
178 return count;
179 default:
180 return -EINVAL;
181 }
182 }
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
reply other threads:[~2026-05-08 9:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af2qC62lFZMgu7Oq@stanley.mountain \
--to=error27@gmail.com \
--cc=linux-iio@vger.kernel.org \
--cc=nuno.sa@analog.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox