From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "Hyun Kwon" <hyun.kwon@xilinx.com>,
"Mauro Carvalho Chehab" <mchehab@osg.samsung.com>,
"Michal Simek" <michal.simek@xilinx.com>,
"Sören Brinkmann" <soren.brinkmann@xilinx.com>,
linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] [media] v4l: xilinx: harmless buffer overflow
Date: Tue, 21 Apr 2015 16:20 +0300 [thread overview]
Message-ID: <1496059.xVrMZN3Nsa@avalon> (raw)
In-Reply-To: <20150421093110.GD12098@mwanda>
Hi Dan,
Thank you for the patch.
On Tuesday 21 April 2015 12:31:10 Dan Carpenter wrote:
> My static checker warns that the name of the port can be 15 characters
> when you consider the NUL terminator and that's one more than the 14
> characters in name[]. Maybe it's an off-by-one?
>
> It's unlikely that we hit the limit and even if we do the overflow will
> only affect one of the two bytes of padding so it's harmless. Still
> let's fix it and also change the sprintf() to snprintf().
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/media/platform/xilinx/xilinx-dma.c
> b/drivers/media/platform/xilinx/xilinx-dma.c index efde88a..98e50e4 100644
> --- a/drivers/media/platform/xilinx/xilinx-dma.c
> +++ b/drivers/media/platform/xilinx/xilinx-dma.c
> @@ -653,7 +653,7 @@ static const struct v4l2_file_operations xvip_dma_fops =
> { int xvip_dma_init(struct xvip_composite_device *xdev, struct xvip_dma
> *dma, enum v4l2_buf_type type, unsigned int port)
> {
> - char name[14];
> + char name[16];
Being pedantic we could use name[15], but it wouldn't make any difference.
> int ret;
>
> dma->xdev = xdev;
> @@ -725,7 +725,7 @@ int xvip_dma_init(struct xvip_composite_device *xdev,
> struct xvip_dma *dma, }
>
> /* ... and the DMA channel. */
> - sprintf(name, "port%u", port);
> + snprintf(name, sizeof(name), "port%u", port);
Nitpicking again, I'd say that sprintf is enough as we know it won't overflow.
However, as the sprintf implementation is a wrapper around vsnprintf with size
set to INT_MAX, using snprintf won't incur any runtime performance penalty.
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
and applied to my tree.
> dma->dma = dma_request_slave_channel(dma->xdev->dev, name);
> if (dma->dma == NULL) {
> dev_err(dma->xdev->dev, "no VDMA channel found\n");
--
Regards,
Laurent Pinchart
prev parent reply other threads:[~2015-04-21 13:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-21 9:31 [patch] [media] v4l: xilinx: harmless buffer overflow Dan Carpenter
2015-04-21 13:20 ` Laurent Pinchart [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1496059.xVrMZN3Nsa@avalon \
--to=laurent.pinchart@ideasonboard.com \
--cc=dan.carpenter@oracle.com \
--cc=hyun.kwon@xilinx.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@osg.samsung.com \
--cc=michal.simek@xilinx.com \
--cc=soren.brinkmann@xilinx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox