Commit 8ea93928 authored by Ian Abbott's avatar Ian Abbott Committed by Greg Kroah-Hartman
Browse files

staging: comedi: avoid bad truncation of a size_t in comedi_read() 



At one point in `comedi_read()`, the variable `n` gets assigned to the
minimum of the parameter `nbytes` and the amount of readable buffer
space `m`.  The way that is done currently is unsafe in the unlikely
case that `nbytes` exceeds `UINT_MAX`, so fix it.

Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
Reviewed-by: default avatarH Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 76e8e7d4

drivers/staging/comedi/comedi_fops.c

+1 −4
Original line number Diff line number Diff line
@@ -2493,13 +2493,10 @@ static ssize_t comedi_read(struct file *file, char __user *buf, size_t nbytes, 
	while (nbytes > 0 && !retval) {

		set_current_state(TASK_INTERRUPTIBLE);



		n = nbytes;



		m = comedi_buf_read_n_available(s);

		if (async->buf_read_ptr + m > async->prealloc_bufsz)

			m = async->prealloc_bufsz - async->buf_read_ptr;

		if (m < n)

			n = m;

		n = min_t(size_t, m, nbytes);



		if (n == 0) {

			unsigned runflags = comedi_get_subdevice_runflags(s);

CRA Git | Maintained and supported by SUSTech CRA and CCSE