On Thu, Mar 30, 2017 at 1:52 PM, Chanwoo Choi <cw00.c...@samsung.com> wrote:
> On 2017년 03월 30일 19:38, Andy Shevchenko wrote:
>> On Thu, Mar 30, 2017 at 12:15 PM, Chanwoo Choi <cw00.c...@samsung.com> wrote:
>>> On 2017년 03월 30일 17:59, Andy Shevchenko wrote:
>>>>> for (i = 0; i < edev->max_supported; i++) {
>>>>> count += sprintf(buf + count, "%s=%d\n",
>>>>>
>>>>> extcon_info[edev->supported_cable[i]].name,
>>>>> - !!(edev->state & (1 << i)));
>>>>> + !!(edev->state & BIT(i)));
>>>>> }
>>>>
>>>> While change is okay, the above code is fragile. There is a potential
>>>> buffer overflow.
>>>
>>> When extcon device is registered, extcon_dev_register() check a number of
>>> supported external connectors. The maximum number of supported connectors
>>> is 32. There is no buffer overflow.
>>
>> Is there any limit for name? No, there is not (const char *name).
>> Though for now it is quite unlikely to have the issue.
>
> If there is problem, I want to fix it.
For now it seems no problem.
> I hope your more comment because I don't understand what you point out.
> Did you mention the length of connector name? or buf?
name as a field of sturct __extcon_info.
Means, *potentially* even one record would be enough to break the boundaries.
--
With Best Regards,
Andy Shevchenko
