From: Ian Abbott Date: Mon, 12 Oct 2015 16:21:24 +0000 (+0100) Subject: staging: comedi: avoid bad truncation of a size_t in comedi_read() X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=8ea939284d3ebde02d5b46d50406c2b7faae1214;p=openwrt%2Fstaging%2Fblogic.git staging: comedi: avoid bad truncation of a size_t in comedi_read() At one point in `comedi_read()`, the variable `n` gets assigned to the minimum of the parameter `nbytes` and the amount of readable buffer space `m`. The way that is done currently is unsafe in the unlikely case that `nbytes` exceeds `UINT_MAX`, so fix it. Signed-off-by: Ian Abbott Reviewed-by: H Hartley Sweeten Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 92f571645f36..f39448a0d301 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -2493,13 +2493,10 @@ static ssize_t comedi_read(struct file *file, char __user *buf, size_t nbytes, while (nbytes > 0 && !retval) { set_current_state(TASK_INTERRUPTIBLE); - n = nbytes; - m = comedi_buf_read_n_available(s); if (async->buf_read_ptr + m > async->prealloc_bufsz) m = async->prealloc_bufsz - async->buf_read_ptr; - if (m < n) - n = m; + n = min_t(size_t, m, nbytes); if (n == 0) { unsigned runflags = comedi_get_subdevice_runflags(s);