Dan Carpenter <dan.carpen...@oracle.com> writes:
> On Tue, May 05, 2015 at 06:36:56PM -0400, Benjamin Romer wrote:
>> From: Jes Sorensen <jes.soren...@redhat.com>
>> 
>> Signed-off-by: Jes Sorensen <jes.soren...@redhat.com>
>> Signed-off-by: Benjamin Romer <benjamin.ro...@unisys.com>
>> ---
>>  drivers/staging/unisys/visorbus/visorchannel.c | 9 ++++++---
>>  1 file changed, 6 insertions(+), 3 deletions(-)
>> 
>> diff --git a/drivers/staging/unisys/visorbus/visorchannel.c 
>> b/drivers/staging/unisys/visorbus/visorchannel.c
>> index cae62fed..da7bd9c 100644
>> --- a/drivers/staging/unisys/visorbus/visorchannel.c
>> +++ b/drivers/staging/unisys/visorbus/visorchannel.c
>> @@ -213,13 +213,16 @@ int
>>  visorchannel_write(struct visorchannel *channel, ulong offset,
>>                 void *local, ulong nbytes)
>>  {
>> -    size_t size = sizeof(struct channel_header);
>> +    size_t chdr_size = sizeof(struct channel_header);
>> +    size_t copy_size;
>>  
>>      if (offset + nbytes > channel->memregion.nbytes)
>>              return -EIO;
>>  
>> -    if (!offset && nbytes >= size)
>> -            memcpy(&channel->chan_hdr, local, size);
>> +    if (offset < chdr_size) {
>> +            copy_size = min(chdr_size, nbytes) - offset;
>> +            memcpy(&channel->chan_hdr + offset, local, copy_size);
>
> You get memory corrution if nbytes is less than offset and chdr_size.
>
> My reading was that in the original code this memcpy() was dead code but
> I could have been wrong.

Good point - the call path is not currently used, but we should fix the
check.

I'd prefer to add this in a follow-on patch, if you have no objection?

Cheers,
Jes
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to