[PATCH] evh_bytechan: fix out of bounds accesses
Stephen Rothwell
sfr at canb.auug.org.au
Tue Jan 14 07:25:22 AEDT 2020
Hi Timur,
On Mon, 13 Jan 2020 10:03:18 -0600 Timur Tabi <timur at kernel.org> wrote:
>
> Why not simply correct the parameters of ev_byte_channel_send?
>
> static inline unsigned int ev_byte_channel_send(unsigned int handle,
> -unsigned int *count, const char buffer[EV_BYTE_CHANNEL_MAX_BYTES])
> +unsigned int *count, const char *buffer)
>
> Back then, I probably thought I was just being clever with this code,
> but I realize now that it doesn't make sense to do the way I did.
The problem is not really the declaration, the problem is that
ev_byte_channel_send always accesses 16 bytes from the buffer and it is
not always passed a buffer that long (in one case it is passed a
pointer to a single byte). So the alternative to the memcpy approach I
have take is to complicate ev_byte_channel_send so that only accesses
count bytes from the buffer.
--
Cheers,
Stephen Rothwell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20200114/8f6f496b/attachment.sig>
More information about the Linuxppc-dev
mailing list