diff mbox

onenand: test before subtraction on unsigned

Message ID 49AE8BA0.7060903@gmail.com
State New, archived
Headers show

Commit Message

roel kluin March 4, 2009, 2:09 p.m. UTC 
len is unsigned so will wrap around when sizeof(struct otp_info) is greater than
len.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---

Comments

Adrian Hunter March 4, 2009, 2:49 p.m. UTC | #1 
Roel Kluin wrote:
> len is unsigned so will wrap around when sizeof(struct otp_info) is greater than
> len.
> 
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c
> index 529af27..7c2ebe9 100644
> --- a/drivers/mtd/onenand/onenand_base.c
> +++ b/drivers/mtd/onenand/onenand_base.c
> @@ -2296,11 +2296,12 @@ static int onenand_otp_walk(struct mtd_info *mtd, loff_t from, size_t len,
>  		if (!action) {	/* OTP Info functions */
>  			struct otp_info *otpinfo;
>  
> -			len -= sizeof(struct otp_info);
> -			if (len <= 0) {
> +			if (len <= sizeof(struct otp_info)) {
> +				len = 0;

len is not used anymore, so no need to set it to zero.

>  				ret = -ENOSPC;
>  				break;
>  			}
> +			len -= sizeof(struct otp_info);
>  
>  			otpinfo = (struct otp_info *) buf;
>  			otpinfo->start = from;

So is there somewhere that is passing a buffer too small for all the opt_info?
diff mbox

Patch

diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c
index 529af27..7c2ebe9 100644
--- a/drivers/mtd/onenand/onenand_base.c
+++ b/drivers/mtd/onenand/onenand_base.c
@@ -2296,11 +2296,12 @@  static int onenand_otp_walk(struct mtd_info *mtd, loff_t from, size_t len,
 		if (!action) {	/* OTP Info functions */
 			struct otp_info *otpinfo;
 
-			len -= sizeof(struct otp_info);
-			if (len <= 0) {
+			if (len <= sizeof(struct otp_info)) {
+				len = 0;
 				ret = -ENOSPC;
 				break;
 			}
+			len -= sizeof(struct otp_info);
 
 			otpinfo = (struct otp_info *) buf;
 			otpinfo->start = from;