staging: comedi: avoid bad truncation of a size_t in comedi_read()
authorIan Abbott <abbotti@mev.co.uk>
Mon, 12 Oct 2015 16:21:24 +0000 (17:21 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 13 Oct 2015 17:29:48 +0000 (10:29 -0700)
At one point in `comedi_read()`, the variable `n` gets assigned to the
minimum of the parameter `nbytes` and the amount of readable buffer
space `m`.  The way that is done currently is unsafe in the unlikely
case that `nbytes` exceeds `UINT_MAX`, so fix it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/comedi/comedi_fops.c

index 92f571645f3679034b02db0c0c3d379c0bfe2a07..f39448a0d301b0e8db9aac376021cc78ecca773c 100644 (file)
@@ -2493,13 +2493,10 @@ static ssize_t comedi_read(struct file *file, char __user *buf, size_t nbytes,
        while (nbytes > 0 && !retval) {
                set_current_state(TASK_INTERRUPTIBLE);
 
-               n = nbytes;
-
                m = comedi_buf_read_n_available(s);
                if (async->buf_read_ptr + m > async->prealloc_bufsz)
                        m = async->prealloc_bufsz - async->buf_read_ptr;
-               if (m < n)
-                       n = m;
+               n = min_t(size_t, m, nbytes);
 
                if (n == 0) {
                        unsigned runflags = comedi_get_subdevice_runflags(s);