diff mbox

[media] gspca: underflow in vidioc_s_parm()

Message ID 20150107110421.GB14864@mwanda (mailing list archive)
State Accepted, archived
Delegated to: Hans de Goede
Headers

Commit Message

Dan Carpenter Jan. 7, 2015, 11:04 a.m. UTC 
  "n" is a user controlled integer.  The code here doesn't handle the case
where "n" is negative and this causes a static checker warning.

	drivers/media/usb/gspca/gspca.c:1571 vidioc_s_parm()
	warn: no lower bound on 'n'

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I haven't followed through to see if this is a real problem.

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Hans de Goede Jan. 15, 2015, 10:56 a.m. UTC | #1 
Hi,

On 07-01-15 12:04, Dan Carpenter wrote:
> "n" is a user controlled integer.  The code here doesn't handle the case
> where "n" is negative and this causes a static checker warning.
>
> 	drivers/media/usb/gspca/gspca.c:1571 vidioc_s_parm()
> 	warn: no lower bound on 'n'
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> I haven't followed through to see if this is a real problem.

Thanks for the report, it is a real problem, but since
parm->parm.capture.readbuffers is unsigned I've chosen to fix it
by making n unsigned too instead.

Regards,

Hans

>
> diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
> index 43d6505..27f7da1 100644
> --- a/drivers/media/usb/gspca/gspca.c
> +++ b/drivers/media/usb/gspca/gspca.c
> @@ -1565,6 +1565,8 @@ static int vidioc_s_parm(struct file *filp, void *priv,
>   	int n;
>
>   	n = parm->parm.capture.readbuffers;
> +	if (n < 0)
> +		return -EINVAL;
>   	if (n == 0 || n >= GSPCA_MAX_FRAMES)
>   		parm->parm.capture.readbuffers = gspca_dev->nbufread;
>   	else
>
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
index 43d6505..27f7da1 100644
--- a/drivers/media/usb/gspca/gspca.c
+++ b/drivers/media/usb/gspca/gspca.c
@@ -1565,6 +1565,8 @@  static int vidioc_s_parm(struct file *filp, void *priv,
 	int n;
 
 	n = parm->parm.capture.readbuffers;
+	if (n < 0)
+		return -EINVAL;
 	if (n == 0 || n >= GSPCA_MAX_FRAMES)
 		parm->parm.capture.readbuffers = gspca_dev->nbufread;
 	else