staging: comedi: avoid bad truncation of a size_t in comedi_read()

At one point in `comedi_read()`, the variable `n` gets assigned to the minimum of the parameter `nbytes` and the amount of readable buffer space `m`. The way that is done currently is unsafe in the unlikely case that `nbytes` exceeds `UINT_MAX`, so fix it. Signed-off-by: N Ian Abbott <abbotti@mev.co.uk> Reviewed-by: N H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: comedi: avoid bad truncation of a size_t in comedi_read()
At one point in `comedi_read()`, the variable `n` gets assigned to the minimum of the parameter `nbytes` and the amount of readable buffer space `m`. The way that is done currently is unsafe in the unlikely case that `nbytes` exceeds `UINT_MAX`, so fix it. Signed-off-by: N Ian Abbott <abbotti@mev.co.uk> Reviewed-by: N H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8ea93928 · Ian Abbott · Greg Kroah-Hartman · 76e8e7d4 · 8ea93928
隐藏空白更改
内联并排

Showing with 1 addition and 4 deletion

drivers/staging/comedi/comedi_fops.c drivers/staging/comedi/comedi_fops.c +1 -4

未找到文件。
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -2493,13 +2493,10 @@ static ssize_t comedi_read(struct file *file, char __user *buf, size_t nbytes,
 	while (nbytes > 0 && !retval) {
 		set_current_state(TASK_INTERRUPTIBLE);

-		n = nbytes;
-
 		m = comedi_buf_read_n_available(s);
 		if (async->buf_read_ptr + m > async->prealloc_bufsz)
 			m = async->prealloc_bufsz - async->buf_read_ptr;
-		if (m < n)
-			n = m;
+		n = min_t(size_t, m, nbytes);

 		if (n == 0) {
 			unsigned runflags = comedi_get_subdevice_runflags(s);