mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

IIO: Documentation: iio_utils: Prevent buffer overflow 

The first part of build_channel_array()identifies the number of enabled channels.
Further down this count is used to allocate the ci_array. The next section parses the
scan_elements directory again, and fills ci_array regardless if the channel is enabled or not.
So if less than available channels are enabled ci_array memory is overflowed.

This fix makes sure that we allocate enough memory. But the whole approach looks a bit
cumbersome to me. Why not allocate memory for MAX_CHANNLES, less say 64
(I never seen a part with more than that channels). And skip the first part entirely.

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Michael Hennerich 2011-02-24 16:34:53 +01:00 committed by Greg Kroah-Hartman
parent 2bf99c70ce
commit 7ccd4506fa
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/staging/iio/Documentation/iio_utils.h
View File

@ -290,15 +290,17 @@ inline int build_channel_array(const char *device_dir,
fscanf(sysfsfp, "%u", &ret);
if (ret == 1)
(*counter)++;
count++;
fclose(sysfsfp);
free(filename);
}
*ci_array = malloc(sizeof(**ci_array)*(*counter));
*ci_array = malloc(sizeof(**ci_array)*count);
if (*ci_array == NULL) {
ret = -ENOMEM;
goto error_close_dir;
}
seekdir(dp, 0);
count = 0;
while (ent = readdir(dp), ent != NULL) {
if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"),
"_en") == 0) {