Message ID | CAPgLHd-+DNxxVHsXiJpk2KFk8mzrQUkwaYPUFeWHyAmz-H6=4Q@mail.gmail.com (mailing list archive) |
---|---|
State | Superseded, archived |
Headers |
Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from <linux-media-owner@vger.kernel.org>) id 1UKNav-0007N6-Cv; Tue, 26 Mar 2013 07:42:53 +0100 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.75/mailfrontend-2) with esmtp id 1UKNau-0007dW-I7; Tue, 26 Mar 2013 07:42:53 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756564Ab3CZGmu (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Tue, 26 Mar 2013 02:42:50 -0400 Received: from mail-bk0-f44.google.com ([209.85.214.44]:62625 "EHLO mail-bk0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753784Ab3CZGmt (ORCPT <rfc822;linux-media@vger.kernel.org>); Tue, 26 Mar 2013 02:42:49 -0400 Received: by mail-bk0-f44.google.com with SMTP id jk13so436972bkc.17 for <linux-media@vger.kernel.org>; Mon, 25 Mar 2013 23:42:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to:cc :content-type; bh=G5IoRzicPtdkc3T5BBH4uHpGYlHnyXEbkaERi7Y5J0U=; b=WT5gnKzV3qdkeOydblpvAzn++mVdkRdsfkGk89fSoJvHX9NJ2ieRzNC+v0twiA8SBS D0rGj29l2bQS4UyEQr2TMNIrb0bAvt0rqRxkjwgVB7gskYZlsZwzoK7mhHY4Xlv57m1R sCB9+nQIx0X/6tM7/edjAq2D3hLFMguIDLR925MbvB2u9B46frBE8E+9FqVlHr4l6DLE P2ATOrsZK1Oi14lfe/HknuxrX7aQ0CBeepSkPZArf2SwpWr4xydi6zmBYQu30sdLSSZR a/o6I3KQ6afAGbumt1ycBvJ8mNP6MzYn99UzkMt0fQUhvftH5zcNiDsj2ut26ABlYhK/ Y6Xg== MIME-Version: 1.0 X-Received: by 10.204.243.3 with SMTP id lk3mr6838040bkb.38.1364280168169; Mon, 25 Mar 2013 23:42:48 -0700 (PDT) Received: by 10.204.30.210 with HTTP; Mon, 25 Mar 2013 23:42:47 -0700 (PDT) Date: Tue, 26 Mar 2013 14:42:47 +0800 Message-ID: <CAPgLHd-+DNxxVHsXiJpk2KFk8mzrQUkwaYPUFeWHyAmz-H6=4Q@mail.gmail.com> Subject: [PATCH -next] [media] go7007: fix invalid use of sizeof in go7007_usb_i2c_master_xfer() From: Wei Yongjun <weiyj.lk@gmail.com> To: hans.verkuil@cisco.com, mchehab@redhat.com, gregkh@linuxfoundation.org Cc: yongjun_wei@trendmicro.com.cn, linux-media@vger.kernel.org, devel@driverdev.osuosl.org Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.3.26.63329 X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' CN_TLD 0.1, FORGED_FROM_GMAIL 0.1, MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_1099 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DKIM_SIGNATURE 0, URI_ENDS_IN_HTML 0, WEBMAIL_SOURCE 0, __ANY_URI 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __DATE_TZ_HK 0, __FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __PHISH_SPEAR_HTTP_RECEIVED 0, __PHISH_SPEAR_STRUCTURE_1 0, __PHISH_SPEAR_STRUCTURE_2 0, __SANE_MSGID 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_WWW 0, __URI_NS , __YOUTUBE_RCVD 0' |
Commit Message
Wei Yongjun
March 26, 2013, 6:42 a.m. UTC
From: Wei Yongjun <yongjun_wei@trendmicro.com.cn> sizeof() when applied to a pointer typed expression gives the size of the pointer, not that of the pointed data. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> --- drivers/staging/media/go7007/go7007-usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Comments
On Tue, Mar 26, 2013 at 02:42:47PM +0800, Wei Yongjun wrote: > From: Wei Yongjun <yongjun_wei@trendmicro.com.cn> > > sizeof() when applied to a pointer typed expression gives the > size of the pointer, not that of the pointed data. > This fix isn't right. "buf" is a char pointer. I don't know what this code is doing. Instead of sizeof(*buf) it should be something like "buflen", "msg[i].len", "msg[i].len + 1" or "msg[i].len + 3". I'm not sure which is correct here or what it's doing, sorry. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Mar 26, 2013 at 10:04:15AM +0300, Dan Carpenter wrote: > On Tue, Mar 26, 2013 at 02:42:47PM +0800, Wei Yongjun wrote: > > From: Wei Yongjun <yongjun_wei@trendmicro.com.cn> > > > > sizeof() when applied to a pointer typed expression gives the > > size of the pointer, not that of the pointed data. > > > > This fix isn't right. "buf" is a char pointer. I don't know what > this code is doing. Instead of sizeof(*buf) it should be something > like "buflen", "msg[i].len", "msg[i].len + 1" or "msg[i].len + 3". It should be "msg[i].len + 1", I think. On the line before it writes buflen bytes to the hardware. Then it clears the transfer buffer and reads "msg[i].len + 1" bytes from the hardware. Then it saves the memory, except for the first byte, in msg[i].buf. So it should clear "msg[i].len + 1" bytes so that the old data isn't confused with the data that we read from the hardware. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue March 26 2013 08:35:57 Dan Carpenter wrote: > On Tue, Mar 26, 2013 at 10:04:15AM +0300, Dan Carpenter wrote: > > On Tue, Mar 26, 2013 at 02:42:47PM +0800, Wei Yongjun wrote: > > > From: Wei Yongjun <yongjun_wei@trendmicro.com.cn> > > > > > > sizeof() when applied to a pointer typed expression gives the > > > size of the pointer, not that of the pointed data. > > > > > > > This fix isn't right. "buf" is a char pointer. I don't know what > > this code is doing. Instead of sizeof(*buf) it should be something > > like "buflen", "msg[i].len", "msg[i].len + 1" or "msg[i].len + 3". > > It should be "msg[i].len + 1", I think. Yes, that's correct. 'buf' used to be a local array, so the memset was fine. I changed it to an array that was kmalloc()ed but forgot about the memset. I never noticed the bug because the sizeof the message is typically quite small, certainly smaller than sizeof(pointer) on a 64-bit system. Wei Yongjun, can you post a new patch fixing this? Thanks, Hans > > On the line before it writes buflen bytes to the hardware. Then > it clears the transfer buffer and reads "msg[i].len + 1" bytes from > the hardware. Then it saves the memory, except for the first byte, > in msg[i].buf. > > So it should clear "msg[i].len + 1" bytes so that the old data isn't > confused with the data that we read from the hardware. > > regards, > dan carpenter > > -- > To unsubscribe from this list: send the line "unsubscribe linux-media" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Hans and Dan Carpenter, On 03/26/2013 04:18 PM, Hans Verkuil wrote: > On Tue March 26 2013 08:35:57 Dan Carpenter wrote: >> On Tue, Mar 26, 2013 at 10:04:15AM +0300, Dan Carpenter wrote: >>> On Tue, Mar 26, 2013 at 02:42:47PM +0800, Wei Yongjun wrote: >>>> From: Wei Yongjun <yongjun_wei@trendmicro.com.cn> >>>> >>>> sizeof() when applied to a pointer typed expression gives the >>>> size of the pointer, not that of the pointed data. >>>> >>> This fix isn't right. "buf" is a char pointer. I don't know what >>> this code is doing. Instead of sizeof(*buf) it should be something >>> like "buflen", "msg[i].len", "msg[i].len + 1" or "msg[i].len + 3". >> It should be "msg[i].len + 1", I think. > Yes, that's correct. > > 'buf' used to be a local array, so the memset was fine. I changed it to an > array that was kmalloc()ed but forgot about the memset. I never noticed > the bug because the sizeof the message is typically quite small, certainly > smaller than sizeof(pointer) on a 64-bit system. > > Wei Yongjun, can you post a new patch fixing this? Thanks very much, I will send the v2 of this patch soon. Regards, Yongjun -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/staging/media/go7007/go7007-usb.c b/drivers/staging/media/go7007/go7007-usb.c index 0823506..7219ae0 100644 --- a/drivers/staging/media/go7007/go7007-usb.c +++ b/drivers/staging/media/go7007/go7007-usb.c @@ -1035,7 +1035,7 @@ static int go7007_usb_i2c_master_xfer(struct i2c_adapter *adapter, buf, buf_len, 0) < 0) goto i2c_done; if (msgs[i].flags & I2C_M_RD) { - memset(buf, 0, sizeof(buf)); + memset(buf, 0, sizeof(*buf)); if (go7007_usb_vendor_request(go, 0x25, 0, 0, buf, msgs[i].len + 1, 1) < 0) goto i2c_done;