1. Patchew
  2. linux
  3. View series

[PATCH v2] iio: chemical: mhz19b: bound receive buffer copy

Pengpeng Hou posted 1 patch 1 week, 5 days ago 
drivers/iio/chemical/mhz19b.c | 6 ++++++
1 file changed, 6 insertions(+)
[PATCH v2] iio: chemical: mhz19b: bound receive buffer copy
Posted by Pengpeng Hou 1 week, 5 days ago 
`mhz19b_receive_buf()` appends bytes to the fixed 9-byte command buffer
without first checking that the new chunk fits in the remaining space.
A single receive callback can therefore write past the end of `st->buf`
before the driver sees that the command is complete.

Drop overlong chunks and reset the partial command state before the
copy.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/iio/chemical/mhz19b.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/iio/chemical/mhz19b.c b/drivers/iio/chemical/mhz19b.c
index 3c64154918b1..fbd7f14483b3 100644
--- a/drivers/iio/chemical/mhz19b.c
+++ b/drivers/iio/chemical/mhz19b.c
@@ -240,6 +240,12 @@ static size_t mhz19b_receive_buf(struct serdev_device *serdev,
 {
 	struct iio_dev *indio_dev = dev_get_drvdata(&serdev->dev);
 	struct mhz19b_state *st = iio_priv(indio_dev);
+	size_t remaining = sizeof(st->buf) - st->buf_idx;
+
+	if (unlikely(len > remaining)) {
+		st->buf_idx = 0;
+		return len;
+	}
 
 	memcpy(st->buf + st->buf_idx, data, len);
 	st->buf_idx += len;
-- 
2.50.1 (Apple Git-155)
Re: [PATCH v2] iio: chemical: mhz19b: bound receive buffer copy
Posted by David Lechner 1 week, 5 days ago 
On 3/22/26 8:48 AM, Pengpeng Hou wrote:
> `mhz19b_receive_buf()` appends bytes to the fixed 9-byte command buffer
> without first checking that the new chunk fits in the remaining space.
> A single receive callback can therefore write past the end of `st->buf`
> before the driver sees that the command is complete.
> 
> Drop overlong chunks and reset the partial command state before the
> copy.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---

Please don't make v2 a reply to v1. It makes it hard to see that a new
version has been sent. Also, please include a changelog here (below the
---) when sending new revisions so that we know what changed compared
to v1.

For this patch, you can just reply with the changelog instead of sending
a new revision.

Also, you received an Acked-by on v1, so you need to explain why you did
not keep that tag when you sent v2.

>  drivers/iio/chemical/mhz19b.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/iio/chemical/mhz19b.c b/drivers/iio/chemical/mhz19b.c
> index 3c64154918b1..fbd7f14483b3 100644
> --- a/drivers/iio/chemical/mhz19b.c
> +++ b/drivers/iio/chemical/mhz19b.c
> @@ -240,6 +240,12 @@ static size_t mhz19b_receive_buf(struct serdev_device *serdev,
>  {
>  	struct iio_dev *indio_dev = dev_get_drvdata(&serdev->dev);
>  	struct mhz19b_state *st = iio_priv(indio_dev);
> +	size_t remaining = sizeof(st->buf) - st->buf_idx;
> +
> +	if (unlikely(len > remaining)) {
> +		st->buf_idx = 0;
> +		return len;
> +	}
>  
>  	memcpy(st->buf + st->buf_idx, data, len);
>  	st->buf_idx += len;

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.