iio:core: Fix bug in length of event info_mask and catch unhandled bits set in masks.
authorJonathan Cameron <jic23@kernel.org>
Fri, 3 Jan 2014 22:24:00 +0000 (22:24 +0000)
committerJonathan Cameron <jic23@kernel.org>
Sun, 16 Mar 2014 18:00:35 +0000 (18:00 +0000)
The unhandled bits case was highlighted by smatch:
  CHECK   drivers/iio/industrialio-core.c
drivers/iio/industrialio-core.c:719 iio_device_add_info_mask_type() error: buffer overflow 'iio_chan_info_postfix' 17 <= 31
  CC [M]  drivers/iio/industrialio-core.o
  CHECK   drivers/iio/industrialio-event.c
drivers/iio/industrialio-event.c:327 iio_device_add_event() error: buffer overflow 'iio_ev_info_text' 3 <= 3

The incorrect limit for the for_each_set_bit loop was noticed whilst fixing
this other case.  Note that as we only have 3 possible entries a the moment
and the value was set to 4, the bug would not have any effect currently.
It will bite fairly soon though, so best fix it now.

Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
drivers/iio/industrialio-core.c
drivers/iio/industrialio-event.c

index 1375921d8261faa10b949d08c16c5bd2cd0f93aa..184444db62acaca683c8ebce22b0870c1ff7ebac 100644 (file)
@@ -716,6 +716,8 @@ static int iio_device_add_info_mask_type(struct iio_dev *indio_dev,
        int i, ret, attrcount = 0;
 
        for_each_set_bit(i, infomask, sizeof(infomask)*8) {
+               if (i >= ARRAY_SIZE(iio_chan_info_postfix))
+                       return -EINVAL;
                ret = __iio_add_chan_devattr(iio_chan_info_postfix[i],
                                             chan,
                                             &iio_read_channel_info,
index ea6e06b9c7d42954cf6eb0d5ab86f18734e828b4..dddfb0f90d342e5b324bba657c5d194df6205a2d 100644 (file)
@@ -321,7 +321,9 @@ static int iio_device_add_event(struct iio_dev *indio_dev,
        char *postfix;
        int ret;
 
-       for_each_set_bit(i, mask, sizeof(*mask)) {
+       for_each_set_bit(i, mask, sizeof(*mask)*8) {
+               if (i >= ARRAY_SIZE(iio_ev_info_text))
+                       return -EINVAL;
                postfix = kasprintf(GFP_KERNEL, "%s_%s_%s",
                                iio_ev_type_text[type], iio_ev_dir_text[dir],
                                iio_ev_info_text[i]);