Re: [PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol()

From: Greg KH
Date: Fri May 21 2021 - 07:42:59 EST


On Fri, May 21, 2021 at 07:34:52PM +0800, yukuai (C) wrote:
> On 2021/05/21 18:59, Greg KH wrote:
> > On Fri, May 21, 2021 at 06:07:05PM +0800, Yu Kuai wrote:
> > > The length of array 'pts_reply' is 4, and the loop in set_protocol()
> > > will access array element from 0 to num_bytes_read - 1. Thus if
> > > io_read_num_rec_bytes() gets 'num_bytes_read' more than 4, it will
> > > cause index out of bounds errors.
> >
> > And how can num_bytes_read be greater than 4?
>
> Hi
>
> Do you mean num_bytes_read here should never be greater than 4?
>
> 544 io_read_num_rec_bytes(iobase, &num_bytes_read);
> 545 if (num_bytes_read >= 4) {
> 546 DEBUGP(2, dev, "NumRecBytes = %i\n",
> num_bytes_read);
> 547 break;


Like I said, it is tested if it is bigger, but then nothing happens if
that is true. So try to error out here.

> > Ah, it is tested, but you might want to error out if that happens, as
> > obviously something went wrong.
> >
> > Do you have this hardware to test these changes?
>
> Sorry we don't have this hardware...

Ah, then I wouldn't worry about it, as odds are, no one else does either :)

thanks,

greg k-h