[smatch stuff] iio: writing past the end of the array in adis16201_read_ring_data()
J.I. Cameron
jic23 at cam.ac.uk
Wed Jun 29 12:49:34 PDT 2011
On Jun 29 2011, Dan Carpenter wrote:
>Smatch complains that there is a write past the end of the array in
>adis16201_read_ring_data(). I don't know the code well enough to
>fix it myself.
Thanks for the report.
I think the intent is that tx should be null for the last
run through that loop. I'll get this on Friday if Michael or
Dan haven't done it in the meantime.
>drivers/staging/iio/accel/adis16201_ring.c +42
> adis16201_read_ring_data(19) error: buffer overflow 'st->tx' 14 <= 14
>drivers/staging/iio/accel/adis16201_ring.c +44
> adis16201_read_ring_data(21) error: buffer overflow 'st->tx' 14 <= 15
>
> 36 for (i = 0; i <= ADIS16201_OUTPUTS; i++) {
> ^^^^^^^^^^^^^^^^^
> ADIS16201_OUTPUTS is 7.
>
> 37 xfers[i].bits_per_word = 8;
> 38 xfers[i].cs_change = 1;
> 39 xfers[i].len = 2;
> 40 xfers[i].delay_usecs = 20;
> 41 xfers[i].tx_buf = st->tx + 2 * i;
> 42 st->tx[2 * i] = ADIS16201_READ_REG(ADIS16201_SUPPLY_OUT +
> ^^^^^^^^^^^^^
> tx has 14 elements. 7 * 2 is one past the end of the array.
>
> 43 2 * i);
> 44 st->tx[2 * i + 1] = 0;
> ^^^^^^^^^^^^^^^^^
> We're two spaces past the end of the array here.
>
> 45 if (i >= 1)
> 46 xfers[i].rx_buf = rx + 2 * (i - 1);
> 47 spi_message_add_tail(&xfers[i], &msg);
> 48 }
>
>regards,
>dan carpenter
>
More information about the devel
mailing list