diff options
| author | Craig Markwardt <> | 2014-01-01 10:38:52 -0500 |
|---|---|---|
| committer | Jonathan Cameron <jic23@kernel.org> | 2014-01-01 10:48:58 -0500 |
| commit | 66c65d90db1004356281db6ead988e2e38ba9e37 (patch) | |
| tree | 5f303f7f64af375931a93519da982c62f41caddf | |
| parent | e9ed104de68c345c9a827225e93c74c6894613a9 (diff) | |
iio: Fix a buffer overflow in iio_utils.h example code
This was originally reported by Craig Markwardt on Zubair Lutfullah's
blog and Zubair forwarded it to linux-iio@vger.kernel.org. No email
address known.
The code first counted the number of enabled channels, then created an
array to hold information about them. The code that filled this array then
stored whether a given element was enabled inside the array. Curriously
this element was never used. Craig's patch added a local temporary variable
to avoid the buffer overrun. Jonathan then removed the original enabled
element of the structure as it was not needed at all.
Signed-off-by: Zubair Lutfullah <zubair.lutfullah@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
| -rw-r--r-- | drivers/staging/iio/Documentation/iio_utils.h | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/staging/iio/Documentation/iio_utils.h b/drivers/staging/iio/Documentation/iio_utils.h index 35154d60faf6..c9fedb79e3a2 100644 --- a/drivers/staging/iio/Documentation/iio_utils.h +++ b/drivers/staging/iio/Documentation/iio_utils.h | |||
| @@ -77,7 +77,6 @@ struct iio_channel_info { | |||
| 77 | uint64_t mask; | 77 | uint64_t mask; |
| 78 | unsigned be; | 78 | unsigned be; |
| 79 | unsigned is_signed; | 79 | unsigned is_signed; |
| 80 | unsigned enabled; | ||
| 81 | unsigned location; | 80 | unsigned location; |
| 82 | }; | 81 | }; |
| 83 | 82 | ||
| @@ -335,6 +334,7 @@ inline int build_channel_array(const char *device_dir, | |||
| 335 | while (ent = readdir(dp), ent != NULL) { | 334 | while (ent = readdir(dp), ent != NULL) { |
| 336 | if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"), | 335 | if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"), |
| 337 | "_en") == 0) { | 336 | "_en") == 0) { |
| 337 | int current_enabled = 0; | ||
| 338 | current = &(*ci_array)[count++]; | 338 | current = &(*ci_array)[count++]; |
| 339 | ret = asprintf(&filename, | 339 | ret = asprintf(&filename, |
| 340 | "%s/%s", scan_el_dir, ent->d_name); | 340 | "%s/%s", scan_el_dir, ent->d_name); |
| @@ -350,10 +350,10 @@ inline int build_channel_array(const char *device_dir, | |||
| 350 | ret = -errno; | 350 | ret = -errno; |
| 351 | goto error_cleanup_array; | 351 | goto error_cleanup_array; |
| 352 | } | 352 | } |
| 353 | fscanf(sysfsfp, "%u", ¤t->enabled); | 353 | fscanf(sysfsfp, "%u", ¤t_enabled); |
| 354 | fclose(sysfsfp); | 354 | fclose(sysfsfp); |
| 355 | 355 | ||
| 356 | if (!current->enabled) { | 356 | if (!current_enabled) { |
| 357 | free(filename); | 357 | free(filename); |
| 358 | count--; | 358 | count--; |
| 359 | continue; | 359 | continue; |