linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/3] [media] cxd2841er: don't use variable length arrays
@ 2015-08-11 18:41 Mauro Carvalho Chehab
  2015-08-11 18:41 ` [PATCH 2/3] [media] horus3a: " Mauro Carvalho Chehab
  2015-08-11 18:41 ` [PATCH 3/3] [media] ascot2e: " Mauro Carvalho Chehab
  0 siblings, 2 replies; 3+ messages in thread
From: Mauro Carvalho Chehab @ 2015-08-11 18:41 UTC (permalink / raw)
  To: Linux Media Mailing List
  Cc: Sergey Kozlov, Mauro Carvalho Chehab, Mauro Carvalho Chehab

The Linux stack is short; we need to be able to count the number
of bytes used at stack on each function. So, we don't like to
use variable-length arrays, as complained by smatch:

	drivers/media/dvb-frontends/cxd2841er.c:205:19: warning: Variable length array is used.

The max usecase of the driver seems to be 15 bytes + 1 for the
register.

So, let's be safe and allocate 17 bytes for the write buffer.
This should be enough to cover all cases. If not, let's print
an error message.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
 drivers/media/dvb-frontends/cxd2841er.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c
index 0d1a15109d1e..fdffb2f0ded8 100644
--- a/drivers/media/dvb-frontends/cxd2841er.c
+++ b/drivers/media/dvb-frontends/cxd2841er.c
@@ -33,6 +33,8 @@
 #include "cxd2841er.h"
 #include "cxd2841er_priv.h"
 
+#define MAX_WRITE_REGSIZE	16
+
 enum cxd2841er_state {
 	STATE_SHUTDOWN = 0,
 	STATE_SLEEP_S,
@@ -202,18 +204,24 @@ static int cxd2841er_write_regs(struct cxd2841er_priv *priv,
 				u8 addr, u8 reg, const u8 *data, u32 len)
 {
 	int ret;
-	u8 buf[len+1];
+	u8 buf[MAX_WRITE_REGSIZE + 1];
 	u8 i2c_addr = (addr == I2C_SLVX ?
 		priv->i2c_addr_slvx : priv->i2c_addr_slvt);
 	struct i2c_msg msg[1] = {
 		{
 			.addr = i2c_addr,
 			.flags = 0,
-			.len = sizeof(buf),
+			.len = len + 1,
 			.buf = buf,
 		}
 	};
 
+	if (len + 1 >= sizeof(buf)) {
+		dev_warn(&priv->i2c->dev,"wr reg=%04x: len=%d is too big!\n",
+			 reg, len + 1);
+		return -E2BIG;
+	}
+
 	cxd2841er_i2c_debug(priv, i2c_addr, reg, 1, data, len);
 	buf[0] = reg;
 	memcpy(&buf[1], data, len);
-- 
2.4.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 2/3] [media] horus3a: don't use variable length arrays
  2015-08-11 18:41 [PATCH 1/3] [media] cxd2841er: don't use variable length arrays Mauro Carvalho Chehab
@ 2015-08-11 18:41 ` Mauro Carvalho Chehab
  2015-08-11 18:41 ` [PATCH 3/3] [media] ascot2e: " Mauro Carvalho Chehab
  1 sibling, 0 replies; 3+ messages in thread
From: Mauro Carvalho Chehab @ 2015-08-11 18:41 UTC (permalink / raw)
  To: Linux Media Mailing List
  Cc: Sergey Kozlov, Mauro Carvalho Chehab, Mauro Carvalho Chehab

The Linux stack is short; we need to be able to count the number
of bytes used at stack on each function. So, we don't like to
use variable-length arrays, as complained by smatch:
	drivers/media/dvb-frontends/horus3a.c:57:19: warning: Variable length array is used.

The max usecase of the driver seems to be 5 bytes + 1 for the
register.

So, let's be safe and allocate 6 bytes for the write buffer.
This should be enough to cover all cases. If not, let's print
an error message.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
 drivers/media/dvb-frontends/horus3a.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-frontends/horus3a.c b/drivers/media/dvb-frontends/horus3a.c
index 46a82dc586d8..5074305b289e 100644
--- a/drivers/media/dvb-frontends/horus3a.c
+++ b/drivers/media/dvb-frontends/horus3a.c
@@ -26,6 +26,8 @@
 #include "horus3a.h"
 #include "dvb_frontend.h"
 
+#define MAX_WRITE_REGSIZE      5
+
 enum horus3a_state {
 	STATE_UNKNOWN,
 	STATE_SLEEP,
@@ -54,16 +56,22 @@ static int horus3a_write_regs(struct horus3a_priv *priv,
 			      u8 reg, const u8 *data, u32 len)
 {
 	int ret;
-	u8 buf[len+1];
+	u8 buf[MAX_WRITE_REGSIZE + 1];
 	struct i2c_msg msg[1] = {
 		{
 			.addr = priv->i2c_address,
 			.flags = 0,
-			.len = sizeof(buf),
+			.len = len + 1,
 			.buf = buf,
 		}
 	};
 
+	if (len + 1 >= sizeof(buf)) {
+		dev_warn(&priv->i2c->dev,"wr reg=%04x: len=%d is too big!\n",
+			 reg, len + 1);
+		return -E2BIG;
+	}
+
 	horus3a_i2c_debug(priv, reg, 1, data, len);
 	buf[0] = reg;
 	memcpy(&buf[1], data, len);
-- 
2.4.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 3/3] [media] ascot2e: don't use variable length arrays
  2015-08-11 18:41 [PATCH 1/3] [media] cxd2841er: don't use variable length arrays Mauro Carvalho Chehab
  2015-08-11 18:41 ` [PATCH 2/3] [media] horus3a: " Mauro Carvalho Chehab
@ 2015-08-11 18:41 ` Mauro Carvalho Chehab
  1 sibling, 0 replies; 3+ messages in thread
From: Mauro Carvalho Chehab @ 2015-08-11 18:41 UTC (permalink / raw)
  To: Linux Media Mailing List
  Cc: Sergey Kozlov, Mauro Carvalho Chehab, Mauro Carvalho Chehab

The Linux stack is short; we need to be able to count the number
of bytes used at stack on each function. So, we don't like to
use variable-length arrays, as complained by smatch:
        drivers/media/dvb-frontends/horus3a.c:57:19: warning: Variable length array is used.

The max usecase of the driver seems to be 10 bytes + 1 for the
register.

So, let's be safe and allocate 11 bytes for the write buffer.
This should be enough to cover all cases. If not, let's print
an error message.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
 drivers/media/dvb-frontends/ascot2e.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-frontends/ascot2e.c b/drivers/media/dvb-frontends/ascot2e.c
index ae7e463c2f9b..f770f6a2c987 100644
--- a/drivers/media/dvb-frontends/ascot2e.c
+++ b/drivers/media/dvb-frontends/ascot2e.c
@@ -26,6 +26,8 @@
 #include "ascot2e.h"
 #include "dvb_frontend.h"
 
+#define MAX_WRITE_REGSIZE 10
+
 enum ascot2e_state {
 	STATE_UNKNOWN,
 	STATE_SLEEP,
@@ -120,16 +122,22 @@ static int ascot2e_write_regs(struct ascot2e_priv *priv,
 			      u8 reg, const u8 *data, u32 len)
 {
 	int ret;
-	u8 buf[len+1];
+	u8 buf[MAX_WRITE_REGSIZE + 1];
 	struct i2c_msg msg[1] = {
 		{
 			.addr = priv->i2c_address,
 			.flags = 0,
-			.len = sizeof(buf),
+			.len = len + 1,
 			.buf = buf,
 		}
 	};
 
+	if (len + 1 >= sizeof(buf)) {
+		dev_warn(&priv->i2c->dev,"wr reg=%04x: len=%d is too big!\n",
+			 reg, len + 1);
+		return -E2BIG;
+	}
+
 	ascot2e_i2c_debug(priv, reg, 1, data, len);
 	buf[0] = reg;
 	memcpy(&buf[1], data, len);
-- 
2.4.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-08-11 18:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-11 18:41 [PATCH 1/3] [media] cxd2841er: don't use variable length arrays Mauro Carvalho Chehab
2015-08-11 18:41 ` [PATCH 2/3] [media] horus3a: " Mauro Carvalho Chehab
2015-08-11 18:41 ` [PATCH 3/3] [media] ascot2e: " Mauro Carvalho Chehab

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).