Dan Carpenter <dan.carpen...@oracle.com> writes:
> On Tue, May 05, 2015 at 06:36:56PM -0400, Benjamin Romer wrote:
>> From: Jes Sorensen <jes.soren...@redhat.com>
>>
>> Signed-off-by: Jes Sorensen <jes.soren...@redhat.com>
>> Signed-off-by: Benjamin Romer <benjamin.ro...@unisys.com>
>> ---
>> drivers/staging/unisys/visorbus/visorchannel.c | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/staging/unisys/visorbus/visorchannel.c
>> b/drivers/staging/unisys/visorbus/visorchannel.c
>> index cae62fed..da7bd9c 100644
>> --- a/drivers/staging/unisys/visorbus/visorchannel.c
>> +++ b/drivers/staging/unisys/visorbus/visorchannel.c
>> @@ -213,13 +213,16 @@ int
>> visorchannel_write(struct visorchannel *channel, ulong offset,
>> void *local, ulong nbytes)
>> {
>> - size_t size = sizeof(struct channel_header);
>> + size_t chdr_size = sizeof(struct channel_header);
>> + size_t copy_size;
>>
>> if (offset + nbytes > channel->memregion.nbytes)
>> return -EIO;
>>
>> - if (!offset && nbytes >= size)
>> - memcpy(&channel->chan_hdr, local, size);
>> + if (offset < chdr_size) {
>> + copy_size = min(chdr_size, nbytes) - offset;
>> + memcpy(&channel->chan_hdr + offset, local, copy_size);
>
> You get memory corrution if nbytes is less than offset and chdr_size.
>
> My reading was that in the original code this memcpy() was dead code but
> I could have been wrong.
Good point - the call path is not currently used, but we should fix the
check.
I'd prefer to add this in a follow-on patch, if you have no objection?
Cheers,
Jes
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
