mtd: docg3: off by one in doc_register_sysfs()

Linux-MTD Mailing List linux-mtd at lists.infradead.org
Fri Nov 6 10:59:26 PST 2015 

Gitweb:     http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=2382960793c2480277ae98a891ea5aa566e06ff1
Commit:     2382960793c2480277ae98a891ea5aa566e06ff1
Parent:     89c1702da717164fcff633594e130f54dd563499
Author:     Dan Carpenter <dan.carpenter at oracle.com>
AuthorDate: Mon Oct 19 13:20:05 2015 +0300
Committer:  Brian Norris <computersforpeace at gmail.com>
CommitDate: Mon Oct 26 11:45:30 2015 -0700

    mtd: docg3: off by one in doc_register_sysfs()
    
    Smatch found a bug in the error handling:
    
    	drivers/mtd/devices/docg3.c:1634 doc_register_sysfs()
    	error: buffer overflow 'doc_sys_attrs' 4 <= 4
    
    The problem is that if the very last device_create_file() fails, then we
    are beyond the end of the array.  Actually, any time i == 3 then there
    is a problem.  We can fix this an simplify the code at the same time by
    moving the !ret conditions out of the for loops and using a goto
    instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
    Acked-by: Robert Jarzmik <robert.jarzmik at free.fr>
    Signed-off-by: Brian Norris <computersforpeace at gmail.com>
---
 drivers/mtd/devices/docg3.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index f00d0da..c3a2695 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -1620,20 +1620,30 @@ static struct device_attribute doc_sys_attrs[DOC_MAX_NBFLOORS][4] = {
 static int doc_register_sysfs(struct platform_device *pdev,
 			      struct docg3_cascade *cascade)
 {
-	int ret = 0, floor, i = 0;
 	struct device *dev = &pdev->dev;
+	int floor;
+	int ret;
+	int i;
 
-	for (floor = 0; !ret && floor < DOC_MAX_NBFLOORS &&
-		     cascade->floors[floor]; floor++)
-		for (i = 0; !ret && i < 4; i++)
+	for (floor = 0;
+	     floor < DOC_MAX_NBFLOORS && cascade->floors[floor];
+	     floor++) {
+		for (i = 0; i < 4; i++) {
 			ret = device_create_file(dev, &doc_sys_attrs[floor][i]);
-	if (!ret)
-		return 0;
+			if (ret)
+				goto remove_files;
+		}
+	}
+
+	return 0;
+
+remove_files:
 	do {
 		while (--i >= 0)
 			device_remove_file(dev, &doc_sys_attrs[floor][i]);
 		i = 4;
 	} while (--floor >= 0);
+
 	return ret;
 }

More information about the linux-mtd-cvs mailing list