2010-02-18 19:03:27

by Alan

[permalink] [raw]
Subject: [RESEND PATCH] dvb: copy_from_user checks

I don't believe the frag count can ever get loaded with a negative value
even with the -2 but neither the compiler (nor I ;)) can prove it so keep
us both happy.

Signed-off-by: Alan Cox <[email protected]>
---

drivers/media/dvb/dvb-core/dvb_ca_en50221.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)


diff --git a/drivers/media/dvb/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
index cb22da5..2cf03e9 100644
--- a/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
@@ -1280,7 +1280,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
u8 slot, connection_id;
int status;
u8 fragbuf[HOST_LINK_BUF_SIZE];
- int fragpos = 0;
+ unsigned int fragpos = 0;
int fraglen;
unsigned long timeout;
int written;
@@ -1308,6 +1308,8 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
fraglen = ca->slot_info[slot].link_buf_size - 2;
if ((count - fragpos) < fraglen)
fraglen = count - fragpos;
+ if (fraglen < 0)
+ fraglen = 0;

fragbuf[0] = connection_id;
fragbuf[1] = ((fragpos + fraglen) < count) ? 0x80 : 0x00;


2010-02-19 13:59:23

by Olivier Galibert

[permalink] [raw]
Subject: Re: [RESEND PATCH] dvb: copy_from_user checks

On Thu, Feb 18, 2010 at 06:39:16PM +0000, Alan Cox wrote:
> I don't believe the frag count can ever get loaded with a negative value
> even with the -2 but neither the compiler (nor I ;)) can prove it so keep
> us both happy.
>
> Signed-off-by: Alan Cox <[email protected]>
> ---
>
> drivers/media/dvb/dvb-core/dvb_ca_en50221.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
>
> diff --git a/drivers/media/dvb/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
> index cb22da5..2cf03e9 100644
> --- a/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
> +++ b/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
> @@ -1280,7 +1280,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
> u8 slot, connection_id;
> int status;
> u8 fragbuf[HOST_LINK_BUF_SIZE];
> - int fragpos = 0;
> + unsigned int fragpos = 0;
> int fraglen;
> unsigned long timeout;
> int written;
> @@ -1308,6 +1308,8 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
> fraglen = ca->slot_info[slot].link_buf_size - 2;
> if ((count - fragpos) < fraglen)
> fraglen = count - fragpos;
> + if (fraglen < 0)
> + fraglen = 0;

If fragpos is unsigned int, then the < fraglen comparison is going to
be unsigned, which is probably not what you want either, is it?

OG.