[PATCH 05/10] staging: comedi: avoid bad truncation of a size_t in comedi_read()

From: Ian Abbott
Date: Mon Oct 12 2015 - 12:23:58 EST


At one point in `comedi_read()`, the variable `n` gets assigned to the
minimum of the parameter `nbytes` and the amount of readable buffer
space `m`. The way that is done currently is unsafe in the unlikely
case that `nbytes` exceeds `UINT_MAX`, so fix it.

Signed-off-by: Ian Abbott <abbotti@xxxxxxxxx>
---
drivers/staging/comedi/comedi_fops.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index ae9d519..d51c94c 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -2492,13 +2492,10 @@ static ssize_t comedi_read(struct file *file, char __user *buf, size_t nbytes,
while (nbytes > 0 && !retval) {
set_current_state(TASK_INTERRUPTIBLE);

- n = nbytes;
-
m = comedi_buf_read_n_available(s);
if (async->buf_read_ptr + m > async->prealloc_bufsz)
m = async->prealloc_bufsz - async->buf_read_ptr;
- if (m < n)
- n = m;
+ n = min_t(size_t, m, nbytes);

if (n == 0) {
unsigned runflags = comedi_get_subdevice_runflags(s);
--
2.6.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/