Re: [PATCH][next] iio: dac: ad5770r: fix off-by-one check on maximum number of channels
From: Ardelean, Alexandru
Date: Fri Apr 03 2020 - 09:26:27 EST
On Fri, 2020-04-03 at 13:58 +0100, Colin King wrote:
> [External]
>
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> Currently there is an off-by-one check on the number of channels that
> will cause an arry overrun in array st->output_mode when calling the
> function d5770r_store_output_range. Fix this by using >= rather than >
> to check for maximum number of channels.
>
Reviewed-by: Alexandru Ardelean <alexandru.ardelean@xxxxxxxxxx>
> Addresses-Coverity: ("Out-of-bounds access")
> Fixes: cbbb819837f6 ("iio: dac: ad5770r: Add AD5770R support")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> ---
> drivers/iio/dac/ad5770r.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/iio/dac/ad5770r.c b/drivers/iio/dac/ad5770r.c
> index a98ea76732e7..2d7623b9b2c0 100644
> --- a/drivers/iio/dac/ad5770r.c
> +++ b/drivers/iio/dac/ad5770r.c
> @@ -525,7 +525,7 @@ static int ad5770r_channel_config(struct ad5770r_state
> *st)
> ret = fwnode_property_read_u32(child, "num", &num);
> if (ret)
> return ret;
> - if (num > AD5770R_MAX_CHANNELS)
> + if (num >= AD5770R_MAX_CHANNELS)
> return -EINVAL;
>
> ret = fwnode_property_read_u32_array(child,