From: Craig Markwardt <> Date: Wed, 1 Jan 2014 15:38:52 +0000 (+0000) Subject: iio: Fix a buffer overflow in iio_utils.h example code X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=66c65d90db1004356281db6ead988e2e38ba9e37;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git iio: Fix a buffer overflow in iio_utils.h example code This was originally reported by Craig Markwardt on Zubair Lutfullah's blog and Zubair forwarded it to linux-iio@vger.kernel.org. No email address known. The code first counted the number of enabled channels, then created an array to hold information about them. The code that filled this array then stored whether a given element was enabled inside the array. Curriously this element was never used. Craig's patch added a local temporary variable to avoid the buffer overrun. Jonathan then removed the original enabled element of the structure as it was not needed at all. Signed-off-by: Zubair Lutfullah Signed-off-by: Jonathan Cameron --- diff --git a/drivers/staging/iio/Documentation/iio_utils.h b/drivers/staging/iio/Documentation/iio_utils.h index 35154d60faf6..c9fedb79e3a2 100644 --- a/drivers/staging/iio/Documentation/iio_utils.h +++ b/drivers/staging/iio/Documentation/iio_utils.h @@ -77,7 +77,6 @@ struct iio_channel_info { uint64_t mask; unsigned be; unsigned is_signed; - unsigned enabled; unsigned location; }; @@ -335,6 +334,7 @@ inline int build_channel_array(const char *device_dir, while (ent = readdir(dp), ent != NULL) { if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"), "_en") == 0) { + int current_enabled = 0; current = &(*ci_array)[count++]; ret = asprintf(&filename, "%s/%s", scan_el_dir, ent->d_name); @@ -350,10 +350,10 @@ inline int build_channel_array(const char *device_dir, ret = -errno; goto error_cleanup_array; } - fscanf(sysfsfp, "%u", ¤t->enabled); + fscanf(sysfsfp, "%u", ¤t_enabled); fclose(sysfsfp); - if (!current->enabled) { + if (!current_enabled) { free(filename); count--; continue;