staging:iio:kfifo_buf: Fix potential buffer overflow in iio_read_firs…

…t_n_kfifo n is the number of bytes to read, not the number of samples. So if there is enough data available we will write to the userspace buffer beyond its bounds. Fix this by copying n bytes maximum. Also round n down to the next multiple of the sample size, so we will only read complete samples. If the buffer is too small to hold at least one sample return -EINVAL. Also update the documentation of read_first_n to reflect the fact that 'n' is supposed to be in bytes and not in samples. Acked-by: Jonathan Cameron <jic23@kernel.org> Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
git-mirror · Dec 13, 2011 · 8fe6495 · 8fe6495
1 parent 641b4bb
commit 8fe6495
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/drivers/staging/iio/buffer.h b/drivers/staging/iio/buffer.h
@@ -21,7 +21,7 @@ struct iio_buffer;
  * @mark_in_use:	reference counting, typically to prevent module removal
  * @unmark_in_use:	reduce reference count when no longer using buffer
  * @store_to:		actually store stuff to the buffer
- * @read_first_n:	try to get a specified number of elements (must exist)
+ * @read_first_n:	try to get a specified number of bytes (must exist)
  * @mark_param_change:	notify buffer that some relevant parameter has changed
  *			Often this means the underlying storage may need to
  *			change.

diff --git a/drivers/staging/iio/kfifo_buf.c b/drivers/staging/iio/kfifo_buf.c
@@ -160,7 +160,11 @@ static int iio_read_first_n_kfifo(struct iio_buffer *r,
 	int ret, copied;
 	struct iio_kfifo *kf = iio_to_kfifo(r);
 
-	ret = kfifo_to_user(&kf->kf, buf, r->bytes_per_datum*n, &copied);
+	if (n < r->bytes_per_datum)
+		return -EINVAL;
+
+	n = rounddown(n, r->bytes_per_datum);
+	ret = kfifo_to_user(&kf->kf, buf, n, &copied);
 
 	return copied;
 }