On Fri, 2018-10-26 at 10:39 -0400, Kyungtae Kim wrote:
> setup_rw_floppy() writes some bytes of array cmd to the floppy disk
> controller, depending on cmd_count.
> Although the size of array cmd is fixed like 16, cmd_count can be much
> larger through raw_cmd_ioctl().
> Noticed there is no bound check for this, thereby leading to invalid
> memory access.
Against which kernel tree did you prepare this patch? Just above the code
you want to insert I found the following:
if (ptr->cmd_count > 33) ...
Why does that statement compare cmd_count with 33? Is that comparison correct
or not? Anyway, I don't think it makes sense first to compare cmd_count against
33 and next to compare it against 16 ...
> + if (ptr->cmd_count > ARRAY_SIZE(ptr->cmd))
> + return -EINVAL;
This comparison looks suspicious to me. Almost every comparison of the type
"... > ARRAY_SIZE()" I have seen so far was wrong and should be changed into
"... >= ARRAY_SIZE()" instead.
Bart.
