From patchwork Wed Mar 4 15:18:45 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: roel kluin X-Patchwork-Id: 24044 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 5BFD5DDFC3 for ; Thu, 5 Mar 2009 02:23:47 +1100 (EST) Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1Less0-0005zO-Cz; Wed, 04 Mar 2009 15:18:52 +0000 Received: from mail-ew0-f172.google.com ([209.85.219.172]) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1Lesrv-0005vC-L8 for linux-mtd@lists.infradead.org; Wed, 04 Mar 2009 15:18:50 +0000 Received: by ewy20 with SMTP id 20so3081189ewy.18 for ; Wed, 04 Mar 2009 07:18:46 -0800 (PST) Received: by 10.216.47.213 with SMTP id t63mr695327web.134.1236179925983; Wed, 04 Mar 2009 07:18:45 -0800 (PST) Received: from ?192.168.1.115? (d133062.upc-d.chello.nl [213.46.133.62]) by mx.google.com with ESMTPS id h4sm13574073nfh.54.2009.03.04.07.18.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 04 Mar 2009 07:18:45 -0800 (PST) Message-ID: <49AE9BD5.8000107@gmail.com> Date: Wed, 04 Mar 2009 16:18:45 +0100 From: Roel Kluin User-Agent: Thunderbird 2.0.0.18 (X11/20081105) MIME-Version: 1.0 To: Adrian Hunter Subject: Re: [PATCH] onenand: test before subtraction on unsigned References: <49AE8BA0.7060903@gmail.com> <49AE950C.60907@nokia.com> In-Reply-To: <49AE950C.60907@nokia.com> X-Spam-Score: 0.0 (/) Cc: "kyungmin.park@samsung.com" , "linux-mtd@lists.infradead.org" , Andrew Morton X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-mtd-bounces@lists.infradead.org Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Adrian Hunter wrote: > Roel Kluin wrote: >> len is unsigned so will wrap around when sizeof(struct otp_info) is >> greater than >> len. >> - len -= sizeof(struct otp_info); >> - if (len <= 0) { >> + if (len <= sizeof(struct otp_info)) { >> + len = 0; > > len is not used anymore, so no need to set it to zero. Right, updated patch below. >> ret = -ENOSPC; >> break; >> } >> + len -= sizeof(struct otp_info); > So is there somewhere that is passing a buffer too small for all the > opt_info? I don't know, I found it by code inspection. ------------------------------>8-------------8<--------------------------------- len is unsigned so will wrap around when sizeof(struct otp_info) is greater than len. Signed-off-by: Roel Kluin diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c index 529af27..1219a18 100644 --- a/drivers/mtd/onenand/onenand_base.c +++ b/drivers/mtd/onenand/onenand_base.c @@ -2296,11 +2296,11 @@ static int onenand_otp_walk(struct mtd_info *mtd, loff_t from, size_t len, if (!action) { /* OTP Info functions */ struct otp_info *otpinfo; - len -= sizeof(struct otp_info); - if (len <= 0) { + if (len <= sizeof(struct otp_info)) { ret = -ENOSPC; break; } + len -= sizeof(struct otp_info); otpinfo = (struct otp_info *) buf; otpinfo->start = from;