From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756844AbcA3Of1 (ORCPT ); Sat, 30 Jan 2016 09:35:27 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:40948 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754466AbcA3OfY (ORCPT ); Sat, 30 Jan 2016 09:35:24 -0500 Date: Sat, 30 Jan 2016 17:34:55 +0300 From: Dan Carpenter To: Greg Kroah-Hartman Cc: Aaron Raimist , accessrunner-general@lists.sourceforge.net, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] USB: cxacru: fix an bounds check warning Message-ID: <20160130143455.GA3462@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a privileged operation so it doesn't matter much. We use "tmp" as an offset into an array. If it were invalid we could read out of bounds and trigger an oops if the memory is not mapped. Plus it makes static checkers complain. Signed-off-by: Dan Carpenter --- This changes the behavior a little bit because in the original we could give slightly invalid "len" values and the function would still work... Please review it extra carefully to make sure it doesn't break userspace. diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c index 1173f9c..0a866e9 100644 --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c @@ -476,6 +476,8 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev, return -EINVAL; if (index < 0 || index > 0x7f) return -EINVAL; + if (tmp < 0 || tmp > len - pos) + return -EINVAL; pos += tmp; /* skip trailing newline */