[PATCH v2] iio: chemical: mhz19b: bound receive buffer copy

Next message: Dominique Martinet: "Re: [PATCH 00/11] net/9p/usbg: series of fixes"
Previous message: kernel test robot: "[linus:master] [cgroup] a72f73c4dd: kernel-selftests.cgroup.test_stress.sh.test_cgcore_destroy.fail"
In reply to: Gyeyoung Baek: "Re: [PATCH] iio: chemical: mhz19b: bound receive buffer copy"
Next in thread: David Lechner: "Re: [PATCH v2] iio: chemical: mhz19b: bound receive buffer copy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sun Mar 22 2026 - 09:49:27 EST

`mhz19b_receive_buf()` appends bytes to the fixed 9-byte command buffer
without first checking that the new chunk fits in the remaining space.
A single receive callback can therefore write past the end of `st->buf`
before the driver sees that the command is complete.

Drop overlong chunks and reset the partial command state before the
copy.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/iio/chemical/mhz19b.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/iio/chemical/mhz19b.c b/drivers/iio/chemical/mhz19b.c
index 3c64154918b1..fbd7f14483b3 100644
--- a/drivers/iio/chemical/mhz19b.c
+++ b/drivers/iio/chemical/mhz19b.c
@@ -240,6 +240,12 @@ static size_t mhz19b_receive_buf(struct serdev_device *serdev,
{
struct iio_dev *indio_dev = dev_get_drvdata(&serdev->dev);
struct mhz19b_state *st = iio_priv(indio_dev);
+ size_t remaining = sizeof(st->buf) - st->buf_idx;
+
+ if (unlikely(len > remaining)) {
+ st->buf_idx = 0;
+ return len;
+ }

memcpy(st->buf + st->buf_idx, data, len);
st->buf_idx += len;
--
2.50.1 (Apple Git-155)