Re: [PATCH 079/141] staging: unisys: visorchannel_write(): Handle partial channel_header writes

Dan Carpenter Wed, 06 May 2015 06:48:02 -0700

On Tue, May 05, 2015 at 06:36:56PM -0400, Benjamin Romer wrote:
> From: Jes Sorensen <jes.soren...@redhat.com>
> 
> Signed-off-by: Jes Sorensen <jes.soren...@redhat.com>
> Signed-off-by: Benjamin Romer <benjamin.ro...@unisys.com>
> ---
>  drivers/staging/unisys/visorbus/visorchannel.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/staging/unisys/visorbus/visorchannel.c 
> b/drivers/staging/unisys/visorbus/visorchannel.c
> index cae62fed..da7bd9c 100644
> --- a/drivers/staging/unisys/visorbus/visorchannel.c
> +++ b/drivers/staging/unisys/visorbus/visorchannel.c
> @@ -213,13 +213,16 @@ int
>  visorchannel_write(struct visorchannel *channel, ulong offset,
>                  void *local, ulong nbytes)
>  {
> -     size_t size = sizeof(struct channel_header);
> +     size_t chdr_size = sizeof(struct channel_header);
> +     size_t copy_size;
>  
>       if (offset + nbytes > channel->memregion.nbytes)
>               return -EIO;
>  
> -     if (!offset && nbytes >= size)
> -             memcpy(&channel->chan_hdr, local, size);
> +     if (offset < chdr_size) {
> +             copy_size = min(chdr_size, nbytes) - offset;
> +             memcpy(&channel->chan_hdr + offset, local, copy_size);


You get memory corrution if nbytes is less than offset and chdr_size.

My reading was that in the original code this memcpy() was dead code but
I could have been wrong.

regards,
dan carpenter

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH 079/141] staging: unisys: visorchannel_write(): Handle partial channel_header writes

Reply via email to