On Tue, Jul 28, 2015 at 05:16:08PM +0200, Christian Gromm wrote:
> This patch fixes wrong casting. A high value of "len" is casted to
> negative and thus the minimum resulting in memory corruption.
>
It can't actually though, because it's capped at a PAGE_SIZE, I think.
Pretty much all kernel read/write len parameters are capped to prevent
this type of error.
> Reported-by: Dan Carpenter <dan.carpen...@oracle.com>
> Signed-off-by: Christian Gromm <christian.gr...@microchip.com>
> ---
> drivers/staging/most/mostcore/core.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/most/mostcore/core.c
> b/drivers/staging/most/mostcore/core.c
> index f4f9034..d566d8e 100644
> --- a/drivers/staging/most/mostcore/core.c
> +++ b/drivers/staging/most/mostcore/core.c
> @@ -973,7 +973,7 @@ static ssize_t store_add_link(struct most_aim_obj
> *aim_obj,
> char *mdev_devnod;
> char devnod_buf[STRING_SIZE];
> int ret;
> - unsigned int max_len = min((int)len + 1, STRING_SIZE);
> + size_t max_len = min(len + 1, (size_t)STRING_SIZE);
Please use min_t(). I should have said earlier.
unsigned int max_len = min_t(size_t, len + 1, STRING_SIZE);
regards,
dan carpenter
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
