Re: [PATCH v2] serial: max310x: Fix out of bounds access

From: Alexander Shiyan
Date: Wed Aug 12 2015 - 06:35:28 EST


> ÐÑÐÐÐ, 12 ÐÐÐÑÑÑÐ 2015, 15:36 +08:00 ÐÑ cantona <cantona@xxxxxxxxxxx>:
>
>
> added Alexander Shiyan < shc_work@xxxxxxx >.
>
> On 12 August 2015 at 15:22, Su Kang Yin < cantona@xxxxxxxxxxx > wrote:
> >Max310x driver supports up to 4 UART devices but array size of
> >"struct max310x_one" is set to 1. That leads to out of bounds
> >access on UART port registration.
> >
> >This patch fixed it by increase the array size to 4 which is
> >maximum supported UART.
> >
> >Signed-off-by: Su Kang Yin < cantona@xxxxxxxxxxx >
> >---
...

This seems incorrect. The number of ports is allocated dynamically by:
...
/* Alloc port structure */
s = devm_kzalloc(dev, sizeof(*s) + sizeof(struct max310x_one) * devtype->nr, GFP_KERNEL);
...

Thanks.

---