Commit ef4b4856 authored by Jonathan Cameron's avatar Jonathan Cameron

iio:core: Fix bug in length of event info_mask and catch unhandled bits set in masks.

The unhandled bits case was highlighted by smatch:
  CHECK   drivers/iio/industrialio-core.c
drivers/iio/industrialio-core.c:719 iio_device_add_info_mask_type() error: buffer overflow 'iio_chan_info_postfix' 17 <= 31
  CC [M]  drivers/iio/industrialio-core.o
  CHECK   drivers/iio/industrialio-event.c
drivers/iio/industrialio-event.c:327 iio_device_add_event() error: buffer overflow 'iio_ev_info_text' 3 <= 3

The incorrect limit for the for_each_set_bit loop was noticed whilst fixing
this other case.  Note that as we only have 3 possible entries a the moment
and the value was set to 4, the bug would not have any effect currently.
It will bite fairly soon though, so best fix it now.
Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
parent 2816ac64
...@@ -716,6 +716,8 @@ static int iio_device_add_info_mask_type(struct iio_dev *indio_dev, ...@@ -716,6 +716,8 @@ static int iio_device_add_info_mask_type(struct iio_dev *indio_dev,
int i, ret, attrcount = 0; int i, ret, attrcount = 0;
for_each_set_bit(i, infomask, sizeof(infomask)*8) { for_each_set_bit(i, infomask, sizeof(infomask)*8) {
if (i >= ARRAY_SIZE(iio_chan_info_postfix))
return -EINVAL;
ret = __iio_add_chan_devattr(iio_chan_info_postfix[i], ret = __iio_add_chan_devattr(iio_chan_info_postfix[i],
chan, chan,
&iio_read_channel_info, &iio_read_channel_info,
......
...@@ -321,7 +321,9 @@ static int iio_device_add_event(struct iio_dev *indio_dev, ...@@ -321,7 +321,9 @@ static int iio_device_add_event(struct iio_dev *indio_dev,
char *postfix; char *postfix;
int ret; int ret;
for_each_set_bit(i, mask, sizeof(*mask)) { for_each_set_bit(i, mask, sizeof(*mask)*8) {
if (i >= ARRAY_SIZE(iio_ev_info_text))
return -EINVAL;
postfix = kasprintf(GFP_KERNEL, "%s_%s_%s", postfix = kasprintf(GFP_KERNEL, "%s_%s_%s",
iio_ev_type_text[type], iio_ev_dir_text[dir], iio_ev_type_text[type], iio_ev_dir_text[dir],
iio_ev_info_text[i]); iio_ev_info_text[i]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment