usb_blk_msg() will return the passed 'len' (64) as the 'actual_len' (cnt) of the transfer. The addition of the '\0' to the end of the returned string will overrun the 'rx' array. Increase the array size by 1 to fix the out-of-bounds write.
Reported-by: coverity (CID 711413) Signed-off-by: H Hartley Sweeten <hswee...@visionengravers.com> Cc: Ian Abbott <abbo...@mev.co.uk> Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org> --- drivers/staging/comedi/drivers/vmk80xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c index e371183..e0656d1 100644 --- a/drivers/staging/comedi/drivers/vmk80xx.c +++ b/drivers/staging/comedi/drivers/vmk80xx.c @@ -195,7 +195,7 @@ static void vmk80xx_read_eeprom(struct comedi_device *dev, int flag) unsigned int tx_pipe; unsigned int rx_pipe; unsigned char tx[1]; - unsigned char rx[64]; + unsigned char rx[65]; int cnt; tx_pipe = usb_sndbulkpipe(usb, 0x01); -- 2.3.0 _______________________________________________ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel