Re: [PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol()

From: yukuai (C)
Date: Fri May 21 2021 - 07:34:57 EST

Next message: Vaittinen, Matti: "Re: [PATCH v2 1/3] gpio: regmap: Support few IC specific operations"
Previous message: Greg KH: "Re: [PATCH v2] serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'"
In reply to: Greg KH: "Re: [PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol()"
Next in thread: Greg KH: "Re: [PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2021/05/21 18:59, Greg KH wrote:

On Fri, May 21, 2021 at 06:07:05PM +0800, Yu Kuai wrote:

The length of array 'pts_reply' is 4, and the loop in set_protocol()
will access array element from 0 to num_bytes_read - 1. Thus if
io_read_num_rec_bytes() gets 'num_bytes_read' more than 4, it will
cause index out of bounds errors.

And how can num_bytes_read be greater than 4?

Hi

Do you mean num_bytes_read here should never be greater than 4?

544 io_read_num_rec_bytes(iobase, &num_bytes_read);
545 if (num_bytes_read >= 4) {
546 DEBUGP(2, dev, "NumRecBytes = %i\n", num_bytes_read);
547 break;

Ah, it is tested, but you might want to error out if that happens, as
obviously something went wrong.

Do you have this hardware to test these changes?

Sorry we don't have this hardware...

Thanks,
Yu Kuai

thanks,

greg k-h
.

Next message: Vaittinen, Matti: "Re: [PATCH v2 1/3] gpio: regmap: Support few IC specific operations"
Previous message: Greg KH: "Re: [PATCH v2] serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'"
In reply to: Greg KH: "Re: [PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol()"
Next in thread: Greg KH: "Re: [PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]