[PATCH] iio: dac: fix off-by-one comparison and out-of-bounds write

From: Colin King
Date: Thu Jun 02 2016 - 06:06:45 EST

Next message: Gabriele Paoloni: "RE: [PATCH V8 0/9] Support for ARM64 ACPI based PCI host controller"
Previous message: He Kuang: "[PATCH v8 03/14] perf tools: Introducing struct unwind_libunwind_ops for local unwind"
Next in thread: Michael Hennerich: "Re: [PATCH] iio: dac: fix off-by-one comparison and out-of-bounds write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Colin Ian King <colin.king@xxxxxxxxxxxxx>

The check on reg is off-by-one, it should be >= rather than >. Fix
this to stop an out-of-bounds write to st->channel_modes[reg].

Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
---
drivers/iio/dac/ad5592r-base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iio/dac/ad5592r-base.c b/drivers/iio/dac/ad5592r-base.c
index 948f600..69bde59 100644
--- a/drivers/iio/dac/ad5592r-base.c
+++ b/drivers/iio/dac/ad5592r-base.c
@@ -525,7 +525,7 @@ static int ad5592r_alloc_channels(struct ad5592r_state *st)

device_for_each_child_node(st->dev, child) {
ret = fwnode_property_read_u32(child, "reg", &reg);
- if (ret || reg > ARRAY_SIZE(st->channel_modes))
+ if (ret || reg >= ARRAY_SIZE(st->channel_modes))
continue;

ret = fwnode_property_read_u32(child, "adi,mode", &tmp);
--
2.8.1

Next message: Gabriele Paoloni: "RE: [PATCH V8 0/9] Support for ARM64 ACPI based PCI host controller"
Previous message: He Kuang: "[PATCH v8 03/14] perf tools: Introducing struct unwind_libunwind_ops for local unwind"
Next in thread: Michael Hennerich: "Re: [PATCH] iio: dac: fix off-by-one comparison and out-of-bounds write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]