[PATCH] iio: chemical: mhz19b: bound receive buffer copy

Next message: Pengpeng Hou: "[PATCH] x86/kexec: bound bzImage64 setup header copy"
Previous message: Derek John Clark: "Re: [PATCH 0/4] Add OneXPlayer Configuration HID Driver"
Next in thread: Gyeyoung Baek: "Re: [PATCH] iio: chemical: mhz19b: bound receive buffer copy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Mar 21 2026 - 23:21:08 EST

`mhz19b_receive_buf()` appends bytes to the fixed 9-byte command buffer
without first checking that the new chunk fits in the remaining space.
A single receive callback can therefore write past the end of `st->buf`
before the driver sees that the command is complete.

Drop overlong chunks and reset the partial command state before the
copy.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/iio/chemical/mhz19b.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/iio/chemical/mhz19b.c b/drivers/iio/chemical/mhz19b.c
index 3c64154918b1..a028216fa2a9 100644
--- a/drivers/iio/chemical/mhz19b.c
+++ b/drivers/iio/chemical/mhz19b.c
@@ -241,6 +241,11 @@ static size_t mhz19b_receive_buf(struct serdev_device *serdev,
struct iio_dev *indio_dev = dev_get_drvdata(&serdev->dev);
struct mhz19b_state *st = iio_priv(indio_dev);

+ if (len > sizeof(st->buf) - st->buf_idx) {
+ st->buf_idx = 0;
+ return len;
+ }
+
memcpy(st->buf + st->buf_idx, data, len);
st->buf_idx += len;

--
2.50.1 (Apple Git-155)