lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <58371B39.30503@bfs.de>
Date:   Thu, 24 Nov 2016 17:54:17 +0100
From:   walter harms <wharms@....de>
To:     Brian Masney <masneyb@...tation.org>
CC:     Dan Carpenter <dan.carpenter@...cle.com>,
        Jonathan Cameron <jic23@...nel.org>,
        Hartmut Knaack <knaack.h@....de>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Peter Meerwald-Stadler <pmeerw@...erw.net>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Eva Rachel Retuya <eraretuya@...il.com>,
        linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [patch] iio: tsl2583: make array large enough



Am 24.11.2016 16:48, schrieb Brian Masney:
> On Thu, Nov 24, 2016 at 04:38:07PM +0300, Dan Carpenter wrote:
>> This array is supposed to have 10 elements.  Smatch complains that with
>> the current code we can have n == max_ints and read beyond the end of
>> the array.
>>
>> Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver")
>> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
>>
>> diff --git a/drivers/iio/light/tsl2583.c b/drivers/iio/light/tsl2583.c
>> index 0b87f6a..a78b602 100644
>> --- a/drivers/iio/light/tsl2583.c
>> +++ b/drivers/iio/light/tsl2583.c
>> @@ -565,7 +565,7 @@ static ssize_t in_illuminance_lux_table_store(struct device *dev,
>>  	struct iio_dev *indio_dev = dev_to_iio_dev(dev);
>>  	struct tsl2583_chip *chip = iio_priv(indio_dev);
>>  	const unsigned int max_ints = TSL2583_MAX_LUX_TABLE_ENTRIES * 3;
>> -	int value[TSL2583_MAX_LUX_TABLE_ENTRIES * 3];
>> +	int value[TSL2583_MAX_LUX_TABLE_ENTRIES * 3 + 1];
>>  	int ret = -EINVAL;
>>  	unsigned int n;
>>  
> 

sorry i did not notice that bevor ..
there is a
  max_ints = TSL2583_MAX_LUX_TABLE_ENTRIES * 3

IMHO this should read either:
   int value[max_ints+1];
or
  max_ints=ARRAY_SIZE(value)-1;

(my personal favorite is dropping max_ints completely).

re,
 wh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ