Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies

Next message: Jian Yang (&#x6768;&#x622C;): "Re: [PATCH v1] PCI: mediatek-gen3: Align PERST# sequence with PCIe CEM specification"
Previous message: Jiayuan Chen: "Re: [PATCH net v1] net: skb: fix cross-cache free of KFENCE-allocated skb head"
In reply to: Pengpeng Hou: "[PATCH] iio: chemical: mhz19b: reject oversized serial replies"
Next in thread: Gyeyoung Baek: "Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Thu Apr 02 2026 - 04:45:07 EST

On Thu, Apr 02, 2026 at 01:40:15PM +0800, Pengpeng Hou wrote:
> mhz19b_receive_buf() appends each serdev chunk into the fixed
> MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> checking that the chunk fits in the remaining space. A large callback
> can therefore overflow st->buf before the command path validates the
> reply.
>
> Reset the reply state before each command and reject oversized serial
> replies before copying them into the fixed buffer. When an oversized
> reply is detected, wake the waiter and report -EMSGSIZE instead of
> overwriting st->buf.

...

> struct completion buf_ready;
>
> u8 buf_idx;
> + bool buf_overflow;

+ blank line here.

(No need to resend just for this.)

--
With Best Regards,
Andy Shevchenko