From: Michael Hennerich Date: Thu, 24 Feb 2011 15:34:53 +0000 (+0100) Subject: IIO: Documentation: iio_utils: Prevent buffer overflow X-Git-Tag: MMI-PSA29.97-13-9~20521^2~401 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=7ccd4506fa49600a3c59cf64608b2c9e669b6c97;p=GitHub%2FMotorolaMobilityLLC%2Fkernel-slsi.git IIO: Documentation: iio_utils: Prevent buffer overflow The first part of build_channel_array()identifies the number of enabled channels. Further down this count is used to allocate the ci_array. The next section parses the scan_elements directory again, and fills ci_array regardless if the channel is enabled or not. So if less than available channels are enabled ci_array memory is overflowed. This fix makes sure that we allocate enough memory. But the whole approach looks a bit cumbersome to me. Why not allocate memory for MAX_CHANNLES, less say 64 (I never seen a part with more than that channels). And skip the first part entirely. Signed-off-by: Michael Hennerich Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/iio/Documentation/iio_utils.h b/drivers/staging/iio/Documentation/iio_utils.h index 4b023aa14198..bde231352a87 100644 --- a/drivers/staging/iio/Documentation/iio_utils.h +++ b/drivers/staging/iio/Documentation/iio_utils.h @@ -290,15 +290,17 @@ inline int build_channel_array(const char *device_dir, fscanf(sysfsfp, "%u", &ret); if (ret == 1) (*counter)++; + count++; fclose(sysfsfp); free(filename); } - *ci_array = malloc(sizeof(**ci_array)*(*counter)); + *ci_array = malloc(sizeof(**ci_array)*count); if (*ci_array == NULL) { ret = -ENOMEM; goto error_close_dir; } seekdir(dp, 0); + count = 0; while (ent = readdir(dp), ent != NULL) { if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"), "_en") == 0) {