[PATCH 1/4] staging: comedi: vmk80xx: fix out-of-bounds write

H Hartley Sweeten Fri, 20 Feb 2015 11:55:11 -0800

usb_blk_msg() will return the passed 'len' (64) as the 'actual_len' (cnt) of
the transfer. The addition of the '\0' to the end of the returned string will
overrun the 'rx' array. Increase the array size by 1 to fix the out-of-bounds
write.


Reported-by: coverity (CID 711413)
Signed-off-by: H Hartley Sweeten <hswee...@visionengravers.com>
Cc: Ian Abbott <abbo...@mev.co.uk>
Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
 drivers/staging/comedi/drivers/vmk80xx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/comedi/drivers/vmk80xx.c 
b/drivers/staging/comedi/drivers/vmk80xx.c
index e371183..e0656d1 100644
--- a/drivers/staging/comedi/drivers/vmk80xx.c
+++ b/drivers/staging/comedi/drivers/vmk80xx.c
@@ -195,7 +195,7 @@ static void vmk80xx_read_eeprom(struct comedi_device *dev, 
int flag)
        unsigned int tx_pipe;
        unsigned int rx_pipe;
        unsigned char tx[1];
-       unsigned char rx[64];
+       unsigned char rx[65];
        int cnt;
 
        tx_pipe = usb_sndbulkpipe(usb, 0x01);
-- 
2.3.0

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH 1/4] staging: comedi: vmk80xx: fix out-of-bounds write

Reply via email to