Re: [RESEND PATCH] dvb: copy_from_user checks
From: Olivier Galibert
Date: Fri Feb 19 2010 - 08:59:28 EST
On Thu, Feb 18, 2010 at 06:39:16PM +0000, Alan Cox wrote:
> I don't believe the frag count can ever get loaded with a negative value
> even with the -2 but neither the compiler (nor I ;)) can prove it so keep
> us both happy.
>
> Signed-off-by: Alan Cox <alan@xxxxxxxxxxxxxxx>
> ---
>
> drivers/media/dvb/dvb-core/dvb_ca_en50221.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
>
> diff --git a/drivers/media/dvb/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
> index cb22da5..2cf03e9 100644
> --- a/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
> +++ b/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
> @@ -1280,7 +1280,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
> u8 slot, connection_id;
> int status;
> u8 fragbuf[HOST_LINK_BUF_SIZE];
> - int fragpos = 0;
> + unsigned int fragpos = 0;
> int fraglen;
> unsigned long timeout;
> int written;
> @@ -1308,6 +1308,8 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
> fraglen = ca->slot_info[slot].link_buf_size - 2;
> if ((count - fragpos) < fraglen)
> fraglen = count - fragpos;
> + if (fraglen < 0)
> + fraglen = 0;
If fragpos is unsigned int, then the < fraglen comparison is going to
be unsigned, which is probably not what you want either, is it?
OG.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/