[patch] mtd/docg3: off by one in doc_register_sysfs()
Robert Jarzmik
robert.jarzmik at free.fr
Sun Oct 25 00:54:16 PDT 2015
Dan Carpenter <dan.carpenter at oracle.com> writes:
> On Sat, Oct 24, 2015 at 11:49:27AM +0200, Robert Jarzmik wrote:
>> Dan Carpenter <dan.carpenter at oracle.com> writes:
>>
>> > Smatch found a bug in the error handling:
>> >
>> > drivers/mtd/devices/docg3.c:1634 doc_register_sysfs()
>> > error: buffer overflow 'doc_sys_attrs' 4 <= 4
>> >
>> > The problem is that if the very last device_create_file() fails, then we
>> > are beyond the end of the array. Actually, any time i == 3 then there
>> > is a problem. We can fix this an simplify the code at the same time by
>> > moving the !ret conditions out of the for loops and using a goto
>> > instead.
>>
>> Hi Dan,
>>
>> I must admit I don't see the issue here :
>> - if the last device_create_file() fail, we have :
>> - i = 3, ret = -Exxx
>> - doc_sys_attrs[floor][0] is populated
>> - doc_sys_attrs[floor][1] is populated
>> - doc_sys_attrs[floor][2] is populated
>> - doc_sys_attrs[floor][3] is probably NULL
>
> We increment "i" to 4.
Ah yes, I see it now, thanks. Somehow in my brain the !ret condition in the for
loop was preventing the increment ... silly.
So:
Acked-by: Robert Jarzmik <robert.jarzmik at free.fr>
Cheers.
--
Robert
More information about the linux-mtd
mailing list