[prev in list] [next in list] [prev in thread] [next in thread]
List: kernel-janitors
Subject: Re: [patch] mtd/docg3: off by one in doc_register_sysfs()
From: Brian Norris <computersforpeace () gmail ! com>
Date: 2015-10-26 18:45:52
Message-ID: 20151026184552.GD13239 () google ! com
[Download RAW message or body]
On Sun, Oct 25, 2015 at 08:54:16AM +0100, Robert Jarzmik wrote:
> Dan Carpenter <dan.carpenter@oracle.com> writes:
>
> > On Sat, Oct 24, 2015 at 11:49:27AM +0200, Robert Jarzmik wrote:
> >> Dan Carpenter <dan.carpenter@oracle.com> writes:
> >>
> >> > Smatch found a bug in the error handling:
> >> >
> >> > drivers/mtd/devices/docg3.c:1634 doc_register_sysfs()
> >> > error: buffer overflow 'doc_sys_attrs' 4 <= 4
> >> >
> >> > The problem is that if the very last device_create_file() fails, then we
> >> > are beyond the end of the array. Actually, any time i == 3 then there
> >> > is a problem. We can fix this an simplify the code at the same time by
> >> > moving the !ret conditions out of the for loops and using a goto
> >> > instead.
> >>
> >> Hi Dan,
> >>
> >> I must admit I don't see the issue here :
> >> - if the last device_create_file() fail, we have :
> >> - i = 3, ret = -Exxx
> >> - doc_sys_attrs[floor][0] is populated
> >> - doc_sys_attrs[floor][1] is populated
> >> - doc_sys_attrs[floor][2] is populated
> >> - doc_sys_attrs[floor][3] is probably NULL
> >
> > We increment "i" to 4.
> Ah yes, I see it now, thanks. Somehow in my brain the !ret condition in the for
> loop was preventing the increment ... silly.
>
> So:
> Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Applied to l2-mtd.git. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic