From patchwork Wed Mar 4 15:18:45 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: onenand: test before subtraction on unsigned From: roel kluin X-Patchwork-Id: 24044 Message-Id: <49AE9BD5.8000107@gmail.com> To: Adrian Hunter Cc: "kyungmin.park@samsung.com" , "linux-mtd@lists.infradead.org" , Andrew Morton Date: Wed, 04 Mar 2009 16:18:45 +0100 Adrian Hunter wrote: > Roel Kluin wrote: >> len is unsigned so will wrap around when sizeof(struct otp_info) is >> greater than >> len. >> - len -= sizeof(struct otp_info); >> - if (len <= 0) { >> + if (len <= sizeof(struct otp_info)) { >> + len = 0; > > len is not used anymore, so no need to set it to zero. Right, updated patch below. >> ret = -ENOSPC; >> break; >> } >> + len -= sizeof(struct otp_info); > So is there somewhere that is passing a buffer too small for all the > opt_info? I don't know, I found it by code inspection. ------------------------------>8-------------8<--------------------------------- len is unsigned so will wrap around when sizeof(struct otp_info) is greater than len. Signed-off-by: Roel Kluin --- diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c index 529af27..1219a18 100644 --- a/drivers/mtd/onenand/onenand_base.c +++ b/drivers/mtd/onenand/onenand_base.c @@ -2296,11 +2296,11 @@ static int onenand_otp_walk(struct mtd_info *mtd, loff_t from, size_t len, if (!action) { /* OTP Info functions */ struct otp_info *otpinfo; - len -= sizeof(struct otp_info); - if (len <= 0) { + if (len <= sizeof(struct otp_info)) { ret = -ENOSPC; break; } + len -= sizeof(struct otp_info); otpinfo = (struct otp_info *) buf; otpinfo->start = from;