From: Michael Hennerich Date: Wed, 6 Oct 2010 14:22:17 +0000 (+0200) Subject: staging: iio: adc: ad799x: prevent buffer overflow X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=858f1ccff123469fb4257e2529ef8783aabf3b62;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git staging: iio: adc: ad799x: prevent buffer overflow ring->access.read_last() reads the entire datum from the ring including padding and time stamp. Acked-by: Jonathan Cameron Signed-off-by: Michael Hennerich Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/iio/adc/ad799x_ring.c b/drivers/staging/iio/adc/ad799x_ring.c index 0f2041ab4b19..d0217f8a68df 100644 --- a/drivers/staging/iio/adc/ad799x_ring.c +++ b/drivers/staging/iio/adc/ad799x_ring.c @@ -29,28 +29,26 @@ int ad799x_single_channel_from_ring(struct ad799x_state *st, long mask) { - unsigned long numvals; + struct iio_ring_buffer *ring = st->indio_dev->ring; int count = 0, ret; u16 *ring_data; - if (!(st->indio_dev->ring->scan_mask & mask)) { + if (!(ring->scan_mask & mask)) { ret = -EBUSY; goto error_ret; } - numvals = st->indio_dev->ring->scan_count; - ring_data = kmalloc(numvals*2, GFP_KERNEL); + ring_data = kmalloc(ring->access.get_bytes_per_datum(ring), GFP_KERNEL); if (ring_data == NULL) { ret = -ENOMEM; goto error_ret; } - ret = st->indio_dev->ring->access.read_last(st->indio_dev->ring, - (u8 *) ring_data); + ret = ring->access.read_last(ring, (u8 *) ring_data); if (ret) goto error_free_ring_data; /* Need a count of channels prior to this one */ mask >>= 1; while (mask) { - if (mask & st->indio_dev->ring->scan_mask) + if (mask & ring->scan_mask) count++; mask >>= 1; }