Fix the array size check in the sigma_write_register() routine.  The
'len' parameter specifies the number of bytes to write, while the 'buf'
array holds one nibble per array item.

The previous implementation (commit e8686e3ae36c1) switched to a
constant size and made the buffer large enough so that no existing
request would exceed the buffer, fixing an overflow that was present
before that commit.  But the most recent size check was incomplete and
might erroneously succeed for larger amounts of write data.

It's assumed that the issue which gets addressed here never occured in
practice.  The constant-size buffer could hold up to 39 bytes of input
data in their transport representation, while the largest data that was
passed to the write routine is six bytes (trigger LUT params).

Fixes: e8686e3ae36c1 "asix-sigma: Avoid use of variable length arrays"

Signed-off-by: Gerhard Sittig <>
 src/hardware/asix-sigma/protocol.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/hardware/asix-sigma/protocol.c 
index 0f2698fc7ab6..83beb14d8748 100644
--- a/src/hardware/asix-sigma/protocol.c
+++ b/src/hardware/asix-sigma/protocol.c
@@ -98,23 +98,23 @@ static int sigma_write(void *buf, size_t size, struct 
dev_context *devc)
  * NOTE: We chose the buffer size to be large enough to hold any write to the
  * device. We still print a message just in case.
 SR_PRIV int sigma_write_register(uint8_t reg, uint8_t *data, size_t len,
                                 struct dev_context *devc)
        size_t i;
        uint8_t buf[80];
        int idx = 0;
-       if ((len + 2) > sizeof(buf)) {
+       if ((2 * len + 2) > sizeof(buf)) {
                sr_err("Attempted to write %zu bytes, but buffer is too small.",
-                      len + 2);
+                      len);
                return SR_ERR_BUG;
        buf[idx++] = REG_ADDR_LOW | (reg & 0xf);
        buf[idx++] = REG_ADDR_HIGH | (reg >> 4);
        for (i = 0; i < len; i++) {
                buf[idx++] = REG_DATA_LOW | (data[i] & 0xf);
                buf[idx++] = REG_DATA_HIGH_WRITE | (data[i] >> 4);

Check out the vibrant tech community on one of the world's most 
engaging tech sites,!
sigrok-devel mailing list

Reply via email to