[PATCH -next] [media] go7007: fix invalid use of sizeof in go7007_usb_i2c_master_xfer()

Hans Verkuil hverkuil at xs4all.nl
Tue Mar 26 08:18:36 UTC 2013


On Tue March 26 2013 08:35:57 Dan Carpenter wrote:
> On Tue, Mar 26, 2013 at 10:04:15AM +0300, Dan Carpenter wrote:
> > On Tue, Mar 26, 2013 at 02:42:47PM +0800, Wei Yongjun wrote:
> > > From: Wei Yongjun <yongjun_wei at trendmicro.com.cn>
> > > 
> > > sizeof() when applied to a pointer typed expression gives the
> > > size of the pointer, not that of the pointed data.
> > >
> > 
> > This fix isn't right.  "buf" is a char pointer.  I don't know what
> > this code is doing.  Instead of sizeof(*buf) it should be something
> > like "buflen", "msg[i].len", "msg[i].len + 1" or "msg[i].len + 3".
> 
> It should be "msg[i].len + 1", I think.

Yes, that's correct.

'buf' used to be a local array, so the memset was fine. I changed it to an
array that was kmalloc()ed but forgot about the memset. I never noticed
the bug because the sizeof the message is typically quite small, certainly
smaller than sizeof(pointer) on a 64-bit system.

Wei Yongjun, can you post a new patch fixing this?

Thanks,

	Hans

> 
> On the line before it writes buflen bytes to the hardware.  Then
> it clears the transfer buffer and reads "msg[i].len + 1" bytes from
> the hardware.  Then it saves the memory, except for the first byte,
> in msg[i].buf.
> 
> So it should clear "msg[i].len + 1" bytes so that the old data isn't
> confused with the data that we read from the hardware.
> 
> regards,
> dan carpenter
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-media" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 



More information about the devel mailing list