Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies

Next message: Harry Yoo (Oracle): "Re: [PATCH] mm/slub: Revert &quot;mm: Aggressive slab merging heuristics&quot;"
Previous message: Jonathan Cameron: "Re: [PATCH v2] iio: chemical: mhz19b: bound receive buffer copy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Cameron

Date: Sun Apr 12 2026 - 11:17:15 EST

On Thu, 2 Apr 2026 11:39:04 +0300
Andy Shevchenko <andriy.shevchenko@xxxxxxxxx> wrote:

> On Thu, Apr 02, 2026 at 01:40:15PM +0800, Pengpeng Hou wrote:
> > mhz19b_receive_buf() appends each serdev chunk into the fixed
> > MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> > checking that the chunk fits in the remaining space. A large callback
> > can therefore overflow st->buf before the command path validates the
> > reply.
> >
> > Reset the reply state before each command and reject oversized serial
> > replies before copying them into the fixed buffer. When an oversized
> > reply is detected, wake the waiter and report -EMSGSIZE instead of
> > overwriting st->buf.
>
> ...
>
> > struct completion buf_ready;
> >
> > u8 buf_idx;
> > + bool buf_overflow;
>
> + blank line here.
>
> (No need to resend just for this.)
>

This version addressed the comment I just made on v2 so all good.

I tweaked whilst applying.
Applied to the fixes-togreg branch of iio.git.

Note I'm unlikely to send another fixes pull request this cycle, so
I'll rebase that branch on rc1 once available and send out then.

Thanks,

Jonathan