Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933382AbbKRRza (ORCPT ); Wed, 18 Nov 2015 12:55:30 -0500 Received: from smtp113.iad3a.emailsrvr.com ([173.203.187.113]:52319 "EHLO smtp113.iad3a.emailsrvr.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933317AbbKRRz1 (ORCPT ); Wed, 18 Nov 2015 12:55:27 -0500 X-Auth-ID: abbotti@mev.co.uk X-Sender-Id: abbotti@mev.co.uk From: Ian Abbott To: driverdev-devel@linuxdriverproject.org Cc: Greg Kroah-Hartman , Ian Abbott , H Hartley Sweeten , linux-kernel@vger.kernel.org Subject: [PATCH 4/8] staging: comedi: avoid bad truncation of a size_t in comedi_write() Date: Wed, 18 Nov 2015 17:55:07 +0000 Message-Id: <1447869311-21955-5-git-send-email-abbotti@mev.co.uk> X-Mailer: git-send-email 2.6.2 In-Reply-To: <1447869311-21955-1-git-send-email-abbotti@mev.co.uk> References: <1447869311-21955-1-git-send-email-abbotti@mev.co.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1547 Lines: 44 At one point in `comedi_write()`, the variable `n` gets assigned to the minimum of the parameter `nbytes` and the amount of writeable buffer space. The way that is done currently is unsafe in the unlikely case that `nbytes` exceeds `UINT_MAX`, so fix it. Signed-off-by: Ian Abbott --- drivers/staging/comedi/comedi_fops.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 188a12a..8c784c4 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -2357,16 +2357,13 @@ static ssize_t comedi_write(struct file *file, const char __user *buf, break; } - n = nbytes; - - m = n; + /* Allocate all free buffer space. */ + comedi_buf_write_alloc(s, async->prealloc_bufsz); + m = comedi_buf_write_n_allocated(s); + /* Avoid buffer wraparound. */ if (async->buf_write_ptr + m > async->prealloc_bufsz) m = async->prealloc_bufsz - async->buf_write_ptr; - comedi_buf_write_alloc(s, async->prealloc_bufsz); - if (m > comedi_buf_write_n_allocated(s)) - m = comedi_buf_write_n_allocated(s); - if (m < n) - n = m; + n = min_t(size_t, m, nbytes); if (n == 0) { if (file->f_flags & O_NONBLOCK) { -- 2.6.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/