From 591c5f8a599a58c7c3773027010e537fc1d7a7d5 Mon Sep 17 00:00:00 2001 From: Ian Abbott Date: Wed, 18 Nov 2015 17:55:07 +0000 Subject: staging: comedi: avoid bad truncation of a size_t in comedi_write() At one point in `comedi_write()`, the variable `n` gets assigned to the minimum of the parameter `nbytes` and the amount of writeable buffer space. The way that is done currently is unsafe in the unlikely case that `nbytes` exceeds `UINT_MAX`, so fix it. Signed-off-by: Ian Abbott Reviewed-by: H Hartley Sweeten Signed-off-by: Greg Kroah-Hartman diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 188a12a..8c784c4 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -2357,16 +2357,13 @@ static ssize_t comedi_write(struct file *file, const char __user *buf, break; } - n = nbytes; - - m = n; + /* Allocate all free buffer space. */ + comedi_buf_write_alloc(s, async->prealloc_bufsz); + m = comedi_buf_write_n_allocated(s); + /* Avoid buffer wraparound. */ if (async->buf_write_ptr + m > async->prealloc_bufsz) m = async->prealloc_bufsz - async->buf_write_ptr; - comedi_buf_write_alloc(s, async->prealloc_bufsz); - if (m > comedi_buf_write_n_allocated(s)) - m = comedi_buf_write_n_allocated(s); - if (m < n) - n = m; + n = min_t(size_t, m, nbytes); if (n == 0) { if (file->f_flags & O_NONBLOCK) { -- cgit v0.10.2