asix-sigma: fix buffer length check in register write helper

Fix the array size check in the sigma_write_register() routine. The 'len' parameter specifies the number of bytes to write, while the 'buf' array holds one nibble per array item. The previous implementation (commit e8686e3ae3) switched to a constant size and made the buffer large enough so that no existing request would exceed the buffer, fixing an overflow that was present before that commit. But the most recent size check was incomplete and might erroneously succeed for larger amounts of write data. It's assumed that the issue which gets addressed here never occured in practice. The constant-size buffer could hold up to 39 bytes of input data in their transport representation, while the largest data that was passed to the write routine is six bytes (trigger LUT params). Fixes: e8686e3ae3 "asix-sigma: Avoid use of variable length arrays" Signed-off-by: Gerhard Sittig <gerhard.sittig@gmx.net>
2016-10-16 18:25:21 +02:00 · 2016-10-16 18:25:21 +02:00 · 7c86d85372
parent 2f7e529ce6
commit 7c86d85372
1 changed files with 2 additions and 2 deletions
--- a/src/hardware/asix-sigma/protocol.c
+++ b/src/hardware/asix-sigma/protocol.c
@ -105,9 +105,9 @@ SR_PRIV int sigma_write_register(uint8_t reg, uint8_t *data, size_t len,
 	uint8_t buf[80];
 	int idx = 0;

-	if ((len + 2) > sizeof(buf)) {
+	if ((2 * len + 2) > sizeof(buf)) {
 		sr_err("Attempted to write %zu bytes, but buffer is too small.",
-		       len + 2);
+		       len);
 		return SR_ERR_BUG;
 	}