From: Gerhard Sittig Date: Sun, 16 Oct 2016 16:25:21 +0000 (+0200) Subject: asix-sigma: fix buffer length check in register write helper X-Git-Tag: libsigrok-0.5.0~207 X-Git-Url: http://sigrok.org/gitweb/?p=libsigrok.git;a=commitdiff_plain;h=7c86d8537204caa95d70d92bf5698b32ac35fa10 asix-sigma: fix buffer length check in register write helper Fix the array size check in the sigma_write_register() routine. The 'len' parameter specifies the number of bytes to write, while the 'buf' array holds one nibble per array item. The previous implementation (commit e8686e3ae36c1) switched to a constant size and made the buffer large enough so that no existing request would exceed the buffer, fixing an overflow that was present before that commit. But the most recent size check was incomplete and might erroneously succeed for larger amounts of write data. It's assumed that the issue which gets addressed here never occured in practice. The constant-size buffer could hold up to 39 bytes of input data in their transport representation, while the largest data that was passed to the write routine is six bytes (trigger LUT params). Fixes: e8686e3ae36c1 "asix-sigma: Avoid use of variable length arrays" Signed-off-by: Gerhard Sittig --- diff --git a/src/hardware/asix-sigma/protocol.c b/src/hardware/asix-sigma/protocol.c index 49163da9..d2670b4c 100644 --- a/src/hardware/asix-sigma/protocol.c +++ b/src/hardware/asix-sigma/protocol.c @@ -105,9 +105,9 @@ SR_PRIV int sigma_write_register(uint8_t reg, uint8_t *data, size_t len, uint8_t buf[80]; int idx = 0; - if ((len + 2) > sizeof(buf)) { + if ((2 * len + 2) > sizeof(buf)) { sr_err("Attempted to write %zu bytes, but buffer is too small.", - len + 2); + len); return SR_ERR_BUG; }