Commit 66c65d90 authored by Craig Markwardt's avatar Craig Markwardt Committed by Jonathan Cameron

iio: Fix a buffer overflow in iio_utils.h example code

This was originally reported by Craig Markwardt on Zubair Lutfullah's
blog and Zubair forwarded it to linux-iio@vger.kernel.org. No email
address known.

The code first counted the number of enabled channels, then created an
array to hold information about them.  The code that filled this array then
stored whether a given element was enabled inside the array.  Curriously
this element was never used.  Craig's patch added a local temporary variable
to avoid the buffer overrun.  Jonathan then removed the original enabled
element of the structure as it was not needed at all.
Signed-off-by: default avatarZubair Lutfullah <zubair.lutfullah@gmail.com>
Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
parent e9ed104d
...@@ -77,7 +77,6 @@ struct iio_channel_info { ...@@ -77,7 +77,6 @@ struct iio_channel_info {
uint64_t mask; uint64_t mask;
unsigned be; unsigned be;
unsigned is_signed; unsigned is_signed;
unsigned enabled;
unsigned location; unsigned location;
}; };
...@@ -335,6 +334,7 @@ inline int build_channel_array(const char *device_dir, ...@@ -335,6 +334,7 @@ inline int build_channel_array(const char *device_dir,
while (ent = readdir(dp), ent != NULL) { while (ent = readdir(dp), ent != NULL) {
if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"), if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"),
"_en") == 0) { "_en") == 0) {
int current_enabled = 0;
current = &(*ci_array)[count++]; current = &(*ci_array)[count++];
ret = asprintf(&filename, ret = asprintf(&filename,
"%s/%s", scan_el_dir, ent->d_name); "%s/%s", scan_el_dir, ent->d_name);
...@@ -350,10 +350,10 @@ inline int build_channel_array(const char *device_dir, ...@@ -350,10 +350,10 @@ inline int build_channel_array(const char *device_dir,
ret = -errno; ret = -errno;
goto error_cleanup_array; goto error_cleanup_array;
} }
fscanf(sysfsfp, "%u", &current->enabled); fscanf(sysfsfp, "%u", &current_enabled);
fclose(sysfsfp); fclose(sysfsfp);
if (!current->enabled) { if (!current_enabled) {
free(filename); free(filename);
count--; count--;
continue; continue;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment