[Patch V3] Staging: unisys: virthba: Fix variable length array

Ken Cox jkc at redhat.com
Fri Mar 7 16:30:27 UTC 2014


A character array was declared on the stack with variable length.  This has
been corrected to use a fixed length.

Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Ken Cox <jkc at redhat.com>
---
 drivers/staging/unisys/virthba/virthba.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/unisys/virthba/virthba.c b/drivers/staging/unisys/virthba/virthba.c
index c292293..277851f 100644
--- a/drivers/staging/unisys/virthba/virthba.c
+++ b/drivers/staging/unisys/virthba/virthba.c
@@ -1439,12 +1439,15 @@ static ssize_t
 enable_ints_write(struct file *file, const char __user *buffer,
 		  size_t count, loff_t *ppos)
 {
-	char buf[count + 1];
+	char buf[4];
 	int i, new_value;
 	struct virthba_info *virthbainfo;
 	U64 *Features_addr;
 	U64 mask;
 
+	if (count >= ARRAY_SIZE(buf))
+		return -EINVAL;
+
 	buf[count] = '\0';
 	if (copy_from_user(buf, buffer, count)) {
 		LOGERR("copy_from_user failed. buf<<%.*s>> count<<%lu>>\n",
-- 
1.8.5.3



More information about the devel mailing list