Patchwork onenand: test before subtraction on unsigned

login
register
mail settings
Submitter roel kluin
Date March 4, 2009, 3:18 p.m.
Message ID <49AE9BD5.8000107@gmail.com>
Download mbox | patch
Permalink /patch/24044/
State New
Headers show

Comments

roel kluin - March 4, 2009, 3:18 p.m.
Adrian Hunter wrote:
> Roel Kluin wrote:
>> len is unsigned so will wrap around when sizeof(struct otp_info) is
>> greater than
>> len.

>> -            len -= sizeof(struct otp_info);
>> -            if (len <= 0) {
>> +            if (len <= sizeof(struct otp_info)) {
>> +                len = 0;
> 
> len is not used anymore, so no need to set it to zero.

Right, updated patch below.

>>                  ret = -ENOSPC;
>>                  break;
>>              }
>> +            len -= sizeof(struct otp_info);

> So is there somewhere that is passing a buffer too small for all the
> opt_info?

I don't know, I found it by code inspection.
------------------------------>8-------------8<---------------------------------
len is unsigned so will wrap around when sizeof(struct otp_info) is greater than
len.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---

Patch

diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c
index 529af27..1219a18 100644
--- a/drivers/mtd/onenand/onenand_base.c
+++ b/drivers/mtd/onenand/onenand_base.c
@@ -2296,11 +2296,11 @@  static int onenand_otp_walk(struct mtd_info *mtd, loff_t from, size_t len,
 		if (!action) {	/* OTP Info functions */
 			struct otp_info *otpinfo;
 
-			len -= sizeof(struct otp_info);
-			if (len <= 0) {
+			if (len <= sizeof(struct otp_info)) {
 				ret = -ENOSPC;
 				break;
 			}
+			len -= sizeof(struct otp_info);
 
 			otpinfo = (struct otp_info *) buf;
 			otpinfo->start = from;