Re: [PATCH] iio: ad5755: fix off-by-one on devnr limit check

From: Lars-Peter Clausen
Date: Sun Aug 21 2016 - 16:36:12 EST

Next message: Julia Lawall: "Re: [PATCH 2/2] ALSA: compress: Reduce the scope for two variables in snd_compr_set_params()"
Previous message: Florian Westphal: "Re: [PATCH 3.10 007/180] netfilter: x_tables: validate targets of jumps"
In reply to: Jonathan Cameron: "Re: [PATCH] iio: ad5755: fix off-by-one on devnr limit check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08/21/2016 09:30 PM, Jonathan Cameron wrote:
> On 25/07/16 23:40, Colin King wrote:
>> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>>
>> The comparison for devnr limits is off-by-one, the current check
>> allows 0 to AD5755_NUM_CHANNELS and the limit should be in fact
>> 0 to AD5755_NUM_CHANNELS - 1. This can lead to an out of bounds
>> write to pdata->dac[devnr]. Fix this by replacing > with >= on the
>> comparison.
>>
>> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> Lars?
>
> Looks correct to me.
>
> I'd also like a fixes tag for this if possible. Guessing it
> might well be the original driver introduction but best to be
> sure ;)

It's new in 4.8-rc1. It was introduced by the devictree support patch.

Fixes: c947459979c6 ("iio: ad5755: add support for dt bindings")

Next message: Julia Lawall: "Re: [PATCH 2/2] ALSA: compress: Reduce the scope for two variables in snd_compr_set_params()"
Previous message: Florian Westphal: "Re: [PATCH 3.10 007/180] netfilter: x_tables: validate targets of jumps"
In reply to: Jonathan Cameron: "Re: [PATCH] iio: ad5755: fix off-by-one on devnr limit check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]